Chromium Leak: Unfixed Background JS Flaw Exposed by Google
Just spotted a concerning report regarding Google accidentally leaking details on an unpatched Chromium vulnerability. The flaw allows JavaScript to continue executing in the background even after the user closes the browser, leading to potential Remote Code Execution (RCE).
This is a significant risk because the disclosure precedes the patch. The core issue revolves around how Chromium handles background processes or Service Workers, preventing the browser process tree from terminating cleanly. If an attacker leverages this, they can maintain persistence on a workstation without the user's knowledge.
For those hunting in your environments, I'd suggest looking for persistent Chrome/Edge child processes that outlive the parent shell session or user logoff events. You might use a KQL query like this to find anomalies in process duration vs. user activity:
DeviceProcessEvents
| where FileName in ("chrome.exe", "msedge.exe")
| where InitiatingProcessFileName != "explorer.exe"
| extend ProcessDuration = Now() - ProcessCreationTime
| where ProcessDuration > 1h
| project DeviceName, FileName, ProcessDuration, AccountName
Since this is unfixed and details are public, what are your contingency plans? Are you switching browsers for high-risk users or relying on EDR heuristics to catch the persistence?
Good catch on the duration query. We're also looking at network connections established by the browser that persist post-close. This behavior is similar to how some malware maintains C2 comms. We've added a specific rule for long-lived socket connections originating from user-land browsers that don't correlate with active window focus events. It's noisy, but better than missing an RCE attempt.
The Service Worker abuse vector is tricky. Developers often use them for legitimate offline caching, but they provide a perfect persistence mechanism. In red team engagements, we've used similar logic to keep payloads running. If this flaw allows breaking out of the sandbox, that's game over for most endpoint defenses. I'd recommend aggressively restricting site permissions until the patch drops.
We're pushing a Group Policy Object (GPO) update to force-terminate background processes on browser exit for our non-dev fleet. It's a blunt instrument, but it mitigates the "running in background" aspect of the flaw. We'll deal with the inconvenience of broken background tabs until Google releases the fix.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access