Google has awarded a record-breaking $250,000 bounty to security researcher “Micky” for discovering a critical remote code execution vulnerability in Chrome’s browser architecture.
The vulnerability allowed malicious websites to escape Chrome’s sandbox protection and execute arbitrary code on victim systems.
Key Takeaways
1.Google paid researcher "Micky" a record amount for finding a critical Chrome vulnerability.
2.The bug allowed malicious websites to break out of Chrome's security protection.
3.Google patched the vulnerability.
The discovery represents one of the highest individual payouts in Google’s Vulnerability Rewards Program history, reflecting the sophisticated nature of the exploit and its potential for widespread impact.
IPCZ Transport Vulnerability
The vulnerability exploited a fundamental flaw in Chrome’s Inter-Process Communication (IPC) system, specifically within the IPCZ driver transport mechanism.
The bug was located in the Transport::Deserialize function, where the system failed to properly validate header.destination_type parameters before creating transport objects.
A malicious renderer process could manipulate this parameter by passing kBroker as the destination type, effectively impersonating a privileged broker process.
The attack vector involved a complex multi-step process where the compromised renderer would send a RequestIntroduction message to the broker, followed by a ReferNonBroker request with the malicious transport containing the spoofed kBroker header.
The renderer could then send RelayMessage requests with handle values ranging from 4 to 1000, exploiting Windows’ predictable handle allocation system.
Since Windows handle values increment from 4, attackers could systematically iterate through potential thread handles to gain control over browser process resources.
The exploit’s proof-of-concept demonstrated successful sandbox escape by duplicating privileged browser process handles, including thread handles with full control permissions (DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE).
The researcher’s functional exploit code showed the ability to execute system commands like start calc within the browser process context, effectively bypassing Chrome’s multi-process security architecture.
$250,000 Record Bounty
Google’s Chrome VRP panel justified the unprecedented $250,000 reward by emphasizing the vulnerability’s complexity and the quality of the researcher’s submission.
The panel noted this represented “a very complex logic bug and high quality report with a functional exploit” that demonstrated complete sandbox escape capabilities.
The award reflects Google’s commitment to incentivizing high-caliber security research targeting Chrome’s most critical security mechanisms.
The vulnerability was responsibly disclosed on April 22, 2025, with Google’s security team, led by Alex Gough, developing and deploying fixes across Chrome’s release channels by May 2025.
The fix involved dropping transitive trust from transports and implementing stricter validation of endpoint trustworthiness within the IPCZ driver system.
The patch was successfully merged to Chrome versions M136 and M137, with careful consideration given to stability implications across the browser’s complex multi-process architecture.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
