Google will strengthen the security of the Chrome Web browser for Windows

The developers of the Google Chrome web browser promise to refuse the services of the infamous win32k.sys driver on modern versions of Windows 8+. It's about the so-called. sandboxed processes in the context of which the code of web pages is executed and displayed. Chrome uses a special security scheme for its browser (sandbox), based on the launch of each tab created in the context of a separate process that is prohibited from performing critical OS functions due to the so-called. Deny SID in the access token of these processes, as well as the restrictions that are imposed by the special task object.



The win32k.sys driver itself is used by the web browser, like any other GUI application on Windows, to draw windows and GUI elements. Chrome draws the GUI of its web pages from one process, which is called a broker, but other sandboxed processes do not need its services, however, they are forced to use it anyway.

Last summer, a special parameter appeared for Chrome --enable_win32k_renderer_lockdown, which allowed you to perform the same operation that will appear in upcoming releases of Chrome. The prohibition of using win32k.sys is due to purely practical security issues. The vast majority of Windows exploits that allow an attacker to bypass the sandbox mechanism and increase their privileges in the system to the maximum possible level are based on the win32k.sys driver vulnerabilities. The recent Pwn2Own 2015 was a confirmation of this.