Google Awards $250,000 Bounty for Chrome RCE Vulnerability Discovery
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Google has awarded a record-breaking $250,000 bounty to security researcher \u201cMicky\u201d for discovering a critical remote code execution vulnerability in Chrome\u2019s browser architecture.\u00a0<\/p>\n
The vulnerability allowed malicious websites to escape Chrome\u2019s sandbox protection<\/a> and execute arbitrary code on victim systems.\u00a0<\/p>\n The discovery represents one of the highest individual payouts in Google\u2019s Vulnerability Rewards Program history, reflecting the sophisticated nature of the exploit and its potential for widespread impact.<\/p>\n The vulnerability exploited a fundamental flaw in Chrome\u2019s Inter-Process Communication (IPC) system, specifically within the IPCZ driver transport mechanism.\u00a0<\/p>\n The bug was located in the Transport::Deserialize function, where the system failed to properly validate header.destination_type parameters before creating transport objects.\u00a0<\/p>\n A malicious renderer process could manipulate this parameter by passing kBroker as the destination type, effectively impersonating a privileged broker process.<\/p>\n The attack vector involved a complex multi-step process where the compromised renderer would send a RequestIntroduction message to the broker, followed by a ReferNonBroker request with the malicious transport containing the spoofed kBroker header.\u00a0<\/p>\n The renderer could then send RelayMessage requests with handle values ranging from 4 to 1000, exploiting Windows\u2019 predictable handle allocation system.\u00a0<\/p>\n Since Windows handle values increment from 4, attackers could systematically iterate through potential thread handles to gain control over browser process resources.<\/p>\n The exploit\u2019s proof-of-concept demonstrated successful<\/a> sandbox escape by duplicating privileged browser process handles, including thread handles with full control permissions (DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE).\u00a0<\/p>\n The researcher\u2019s functional exploit code showed the ability to execute system commands like start calc within the browser process context, effectively bypassing Chrome\u2019s multi-process security architecture.<\/p>\n Google\u2019s Chrome VRP panel justified the unprecedented $250,000 reward by emphasizing the vulnerability\u2019s complexity and the quality of the researcher\u2019s submission.\u00a0<\/p>\n The panel noted this represented \u201ca very complex logic bug and high quality report with a functional exploit\u201d that demonstrated complete sandbox escape capabilities.\u00a0<\/p>\n The award reflects Google\u2019s commitment to incentivizing high-caliber security research targeting Chrome\u2019s most critical security mechanisms.<\/p>\n The vulnerability<\/a> was responsibly disclosed on April 22, 2025, with Google\u2019s security team, led by Alex Gough, developing and deploying fixes across Chrome\u2019s release channels by May 2025.\u00a0<\/p>\n The fix involved dropping transitive trust from transports and implementing stricter validation of endpoint trustworthiness within the IPCZ driver system.\u00a0<\/p>\n The patch was successfully merged to Chrome versions M136 and M137, with careful consideration given to stability implications across the browser\u2019s complex multi-process architecture.<\/p>\n The post Google Awards $250,000 Bounty for Chrome RCE Vulnerability Discovery<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/mark><\/strong>
1.Google paid researcher \"Micky\" a record amount for finding a critical Chrome vulnerability.
2.The bug allowed malicious websites to break out of Chrome's security protection.
3.Google patched the vulnerability.<\/pre>\nIPCZ Transport Vulnerability<\/strong><\/h2>\n
$250,000 Record Bounty<\/strong><\/h2>\n
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n