Google's Project Zero tweaking Microsoft, because it did fix a bug

Redmond said it wouldn't fix a flaw, then did it on the sly

For once, a Google Project Zero bug report to Microsoft has resulted in a fix without a public spat. Indeed, this fix happened without any public announcement at all.

Back in 2014, Project Zero's James Forshaw told Redmond he'd found a Windows Kernel Object Manager bug that permitted a “limited bypass of traverse permissions” – because it enabled a Chrome sandbox escape.

The problem was in how the SeFastTraverseCheck method's behaviour, and Forshaw originally said he didn't “really expect this will be considered a bulletin class issue, if it's considered an issue at all”.

He was right: a year later, he opened the post because Redmond put it in the “won't fix” basket – but sometime since 2015, a fix happened, which Forshaw notes explains what he first saw.

It turns out the bug was in another component, SeCreateAccessState:

SeFastTraverseCheck is doing a check for the TOKEN_IS_RESTRICTED flag and failing early (which would lead to a bypass of traversal privileges for Chrome etc.) however SeCreateAccessState was never setting that flag in the ACCESS_STATE Flags member which means that the check was bypassed.”

The fix would have passed entirely without notice, had Foreshaw been able to resist taking a dig at Microsoft:

His post on the Chrome blog nails the fix as necessary as far back as November 2015, Windows 10 build 10586. ®


Biting the hand that feeds IT © 1998–2017