This security flaw affects both Google Chrome and Microsoft Edge
New zero-day vulnerability affects all Chromium-based browsers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A security researcher has published a proof-of-concept (PoC) exploit on Twitter for a recently discoveredzero-day vulnerabilityinGoogleChrome,MicrosoftEdge and other Chromium-basedbrowsers.
While this zero-day vulnerability has already been publicly disclosed, it has not yet been patched in the latest version of Chrome or Edge.
Security researcher Rajvardhan Agarwal created the PoC exploit for a remote code execution vulnerability for the V8 JavaScript engine found in Chromium-based browsers and published it in atweet. Although the vulnerability has been fixed in the latest version of theV8 JavaScript engine, it’s still unclear as to when Google will add it to Chrome.
The PoC HTML file created by Agarwal and its corresponding JavaScript file can be used to launch the calculator app onWindows 10when loaded in a Chromium-based browser. However, the exploit is limited to running in the browser’s sandbox which prevents remote code execution vulnerabilities from launching programs on a host computer.
Zero-day exploit
In order for Agarwal’s exploit to work, it needs to be chained to another vulnerability that could allow it to get out of of theChromium sandbox. To test the exploit,BleepingComputerlaunched both Chrome and Edge with the –no-sandbox flag enabled and from there, the news outlet was able to use the exploit to launch the calculator on a system runningWindows 10.
Although releasing a zero-day exploit on Twitter is controversial on its own, some users on the social network took issue with the fact that Agarwal didn’t credit Bruno Keith and Niklas Baumstark from Dataflow Security that first discovered the vulnerability. However, Agarwal claims that he wasn’t aware that they had discovered the vulnerability when releasing his exploit.
Google is expected to releaseChrome 90to the Stable channel soon and we’ll have to wait to see if the upcoming version of its browser includes a fix for this remote code execution vulnerability.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
ViaBleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
7 myths about email security everyone should stop believing
Best Usenet client of 2024
England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere
