CVE-2016-1638

Vulnerability

A vulnerability in extensions/renderer/resources/platform_app.js within the Extensions subsystem of Google Chrome before version 49.0.2623.75 allowed incomplete clobbering of certain Web APIs for platform apps. This meant that while some APIs were supposed to be restricted for platform apps, the clobbering mechanism was insufficient, leaving a gap that could be exploited. The bug was tracked as BUG=585282 and the fix was applied in chromium commit 8e79fe67a8b03291c6acac311ed4ca6592798b6f [1].

Exploitation

An attacker would need to craft a malicious platform app and convince a user to install and run it. No special network position is required beyond the ability to deliver the app (e.g., via the Chrome Web Store or manual installation). The app could then invoke Web APIs that were intended to be restricted, because the clobbering logic in platform_app.js did not cover all necessary cases [1].

Impact

Successfully exploiting this vulnerability allows a remote attacker to bypass intended access restrictions for Web APIs within the platform app context. The impact is a security restriction bypass, potentially leading to unauthorized data access or functionality, depending on the specific API that was incorrectly exposed [2].

Mitigation

The vulnerability is fixed in Google Chrome version 49.0.2623.75 and later. Users should update Chrome to at least this version. For Gentoo users, the GLSA 201603-09 recommends upgrading to www-client/chromium-49.0.2623.87 or later [2]. No workaround is available if an upgrade cannot be applied.