“`html
Google has granted a record $250,000 bounty to security researcher “Micky” for identifying a significant remote code execution flaw in Chrome’s browser framework.
This flaw permitted malicious sites to bypass Chrome’s sandbox defenses and run arbitrary code on the target systems.
Essential Points
1.Google compensated researcher "Micky" a historic sum for uncovering a critical Chrome flaw.
2.The defect enabled malicious sites to escape Chrome's security measures.
3.Google addressed the vulnerability with a fix.
This revelation marks one of the most substantial individual compensations in Google’s Vulnerability Rewards Program history, showcasing the advanced nature of the exploit and its potential for extensive ramifications.
IPCZ Transport Vulnerability
The flaw took advantage of a basic defect in Chrome’s Inter-Process Communication (IPC) system, particularly within the IPCZ driver transport structure.
The issue was found in the Transport::Deserialize function, where the system did not correctly validate header.destination_type parameters prior to generating transport objects.
A harmful renderer process could exploit this parameter by designating kBroker as the destination type, essentially masquerading as a privileged broker process.
The attack vector consisted of a complicated multi-step maneuver where the compromised renderer sent a RequestIntroduction message to the broker, followed by a ReferNonBroker request with the malicious transport that included the falsified kBroker header.
The renderer was then able to issue RelayMessage requests with handle values between 4 and 1000, taking advantage of Windows’ systematic handle allocation methodology.
Given that Windows handle values increase from 4, attackers could methodically cycle through likely thread handles to seize control over browser process resources.
The proof-of-concept for the exploit illustrated successful sandbox evasion by duplicating privileged browser process handles, including thread handles with comprehensive control rights (DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE).
The functional exploit code from the researcher demonstrated the capability to run system commands like start calc within the browser process context, efficiently circumventing Chrome’s multi-process security framework.
$250,000 Record Bounty
Google’s Chrome VRP panel rationalized the extraordinary $250,000 reward by underscoring the complexity of the vulnerability and the caliber of the researcher’s submission.
The panel acknowledged this as “a highly intricate logic bug and a quality report with a functional exploit” that illustrated complete sandbox evasion capabilities.
This award reflects Google’s dedication to promoting superior security research focused on Chrome’s most fundamental security mechanisms.
The flaw was responsibly disclosed on April 22, 2025, with Google’s security team, led by Alex Gough, formulating and deploying remedies across Chrome’s release channels by May 2025.
The remedy included withdrawing transitive trust from transports and enforcing stricter validation of endpoint trustworthiness within the IPCZ driver system.
The patch was effectively integrated into Chrome versions M136 and M137, with meticulous attention paid to stability concerns across the browser’s intricate multi-process architecture.
“`