Chrome on Windows: New security feature to detect symbolic links

IsLink function introduced for secure file handling in Chrome (Windows)

2 min. read

Published onApril 12, 2024

published onApril 12, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Microsoft is working with Google to implement a helper function called IsLink(…) for handling symbolic links in Windows for Chrome browser. This change addresses a specific security concern related to file handling during directory traversal.

When obtaining a file handle through functions like GetFile() or GetEntries() from a directory handle, there’s a risk that the file handle represents a symbolic link, also known as a symlink. Symlinks can point to paths that are potentially blocklisted or restricted. The security risk arises if the symlink file is created after permissions have already been granted to access the parent directory.

The IsLink function Implementation details for Chrome on Windows

The IsLink(…) helper function will likely check whether a given file handle corresponds to a symbolic link. By identifying symlinks, developers can take appropriate actions to prevent unintended security breaches.

This CL adds helpers IsLink(…) for symbolic link handling in the Windows to unblockhttps://issues.chromium.org/issues/40061477.

The necessity for the IsLink helper arises from a specific security concern related to file handling during directory traversal. When a file handle is obtained through GetFile() or GetEntries() from a directory handle, there’s a possibility that this file handle represents a symlink file. This symlink could potentially point to a path that is blocklisted, posing a security risk. Such a scenario might occur if the symlink file is created after permissions have been granted to access the parent directory. Although this situation cannot occur through web API and it’s only possible when it done on the local machine. However, the isuse is currently implemented on non-Windows platforms only, due to the absence of a helper on Windows to detect symlinks.

So, the issue only appears in the desktop version of Chrome for Windows because on other platforms, there is a helper for symlinks.

Hopefully, the IsLink helper will be implemented soon enough for all Chromium browsers.

Do you have any security concerns about Chrome? Let’s discuss this matter in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Chrome on Windows: New security feature to detect symbolic links#

The IsLink function Implementation details for Chrome on Windows#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Chrome on Windows: New security feature to detect symbolic links

The IsLink function Implementation details for Chrome on Windows