The Windows 10 1903 update succeeded in breaking an important security feature in Google Chrome and all competing Chromium-based browsers. Including the new Microsoft Edge.
Google Project Zero teams explain how the Windows 10 1903 (May 2019) update broke an important security feature in Google Chrome and all Chromium-based browsers. This also involves the new Microsoft Edge rewritten to run with the Chromium rendering engine.
In a highly technical post, the researchers shed light on this umpteenth mess - while the delivery of updates on Windows 10 PCs is a regular opportunity to discover problems. This is all the more annoying when the bug affects a system component like Microsoft Edge - which the editor was supposed to test in depth.
At the heart of the problem is a sandboxing feature used in particular by Chromium browsers. This feature protects the security of the browser by creating a limited execution environment. So that if malicious code is launched by a page, it cannot access the rest of the operating system where it could cause damage.
But what the researchers say is that Microsoft has made fundamental mistakes in the way it manages these sandboxes, allowing malicious actors to easily circumvent them. This Build 1903 of the Windows 10 operating system does indeed mismanage the token system needed to securely establish these limited runtime environments.
Microsoft has since released patch KB4549951 in the April 2020 cumulative update. But it's almost a gag: the update causes more problems than it solves for some users. The next major update for Windows 10 will be available in May. Hopefully, Microsoft will have learned from these recurring bugs ...