CVE-2016-1632

Vulnerability

The Extensions subsystem in Google Chrome before version 49.0.2623.75 does not properly maintain object own properties, allowing a crafted JavaScript code to trigger an incorrect cast. The flaw resides in extensions/renderer/v8_helpers.h and gin/converter.h, where gin::Define and Set in v8_helpers used Set instead of DefineOwnProperty, making the property assignment overridable [1]. This enables an attacker to bypass the intended access restrictions on extension internal properties.

Exploitation

To exploit, an attacker must first persuade a user to visit a specially crafted web page that executes malicious JavaScript. The attacker does not need any special network position or authentication; the attack is remote and user interaction is limited to clicking a link or visiting a compromised site. The crafted JavaScript overwrites inherited properties that are expected to be immutable, causing the V8 engine to misidentify the object type and perform an incorrect cast [1].

Impact

A successful attack allows remote code execution in the context of the browser's renderer process, bypassing security restrictions that normally isolate extension internal logic. The attacker gains the ability to execute arbitrary JavaScript with the same privileges as the extension, potentially leading to disclosure of sensitive information, installation of malicious extensions, or further compromise of the user's system [2].

Mitigation

Google addressed this issue in Chrome 49.0.2623.75, released on March 2, 2016 [2]. The fix replaced Set with DefineOwnProperty in gin and v8_helpers bindings, preventing property override [1]. Users should update Chrome to the latest version; Gentoo Linux users should upgrade to www-client/chromium-49.0.2623.87 or later [2]. There is no known workaround for unpatched versions.