CVE-2016-5174 in Chrome
Summary
by MITRE
browser/ui/cocoa/browser_window_controller_private.mm in Google Chrome before 53.0.2785.113 does not process fullscreen toggle requests during a fullscreen transition, which allows remote attackers to cause a denial of service (unsuppressed popup) via a crafted web site.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/19/2022
The vulnerability identified as CVE-2016-5174 resides within the browser/ui/cocoa/browser_window_controller_private.mm component of Google Chrome, specifically affecting versions prior to 53.0.2785.113. This issue manifests as a race condition during fullscreen transition handling, where the browser fails to properly process fullscreen toggle requests while a fullscreen transition is actively occurring. The flaw exists in the macOS implementation of Chrome's browser window controller, which manages the user interface behavior during fullscreen operations. When a web page attempts to trigger a fullscreen toggle while the browser is in the midst of transitioning to or from fullscreen mode, the system becomes unresponsive to subsequent fullscreen requests, creating a denial of service condition that can be exploited by remote attackers through malicious web content.
The technical implementation of this vulnerability stems from improper state management within the Cocoa framework integration of Chrome's browser window controller. During fullscreen transitions, the system maintains an internal state that should prevent concurrent fullscreen operations, but fails to properly queue or defer toggle requests that arrive during this critical period. This race condition creates a scenario where the browser's user interface becomes unresponsive to fullscreen commands, effectively preventing users from controlling the browser's display mode. The flaw specifically impacts the macOS version of Chrome and demonstrates poor handling of asynchronous UI events during state transitions, which can be characterized as a failure in proper concurrency control mechanisms.
From an operational impact perspective, this vulnerability enables remote attackers to execute a denial of service attack against Chrome users by crafting malicious web pages that trigger the race condition. When victims visit these malicious sites, they become unable to control the browser's fullscreen behavior, potentially leading to persistent popup windows that cannot be dismissed through normal means. The unsuppressed popup condition represents a significant usability degradation that can render the browser effectively unusable for the duration of the attack. This vulnerability particularly affects users who frequently interact with fullscreen content or those who rely on fullscreen modes for productivity applications, making it a serious concern for both individual users and enterprise environments.
The vulnerability aligns with CWE-367, which describes Time-of-Check to Time-of-Use (TOCTOU) flaws, as the system checks for fullscreen state and then performs operations that may be invalidated by concurrent requests. Additionally, this issue maps to ATT&CK technique T1499.004, which covers "Utilities: File and Directory Permissions Modification" and T1566.001, "Phishing: Spearphishing Attachment" as it can be exploited through malicious web content delivery. Organizations should implement immediate mitigations including mandatory browser updates to version 53.0.2785.113 or later, which resolves the race condition through improved state management and proper queuing of fullscreen toggle requests. Network administrators should also consider implementing browser security policies that restrict access to untrusted websites and monitor for suspicious fullscreen behavior patterns. The fix implemented by Google involved strengthening the state management logic to properly handle concurrent fullscreen requests during transition periods, ensuring that all toggle commands are processed appropriately regardless of the current transition state.