Google Chrome, Microsoft Edge zero-day vulnerability shared on Twitter

[mood]

Google Chrome, Microsoft Edge zero-day vulnerability shared on Twitter

 

 

A security researcher has dropped a zero-day remote code execution vulnerability on Twitter that works on the current version of Google Chrome and Microsoft Edge.

A zero-day vulnerability is a security bug that has been publicly disclosed but has not been patched in the released version of the affected software.

 

Today, security researcher Rajvardhan Agarwal released a working proof-of-concept (PoC) exploit for a remote code execution vulnerability for the V8 JavaScript engine in Chromium-based browsers.

 

Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLR

— Rajvardhan Agarwal (@r4j0x00) April 12, 2021

 

While Agarwal states that the vulnerability is fixed in the latest version of the V8 JavaScript engine, it is not clear when Google will roll out the Google Chrome.

 

When the PoC HTML file, and its corresponding JavaScript file, are loaded in a Chromium-based browser, it will exploit the vulnerability to launch the Windows calculator (calc.exe) program.

While no developer likes a zero-day release for their software, the good thing is that Agarwal's zero-day cannot currently escape the browser's sandbox. The Chrome sandbox is a browser security boundary that prevents remote code execution vulnerabilities from launching programs on the host computer.

 

For Agarwal's zero-day RCE exploit to work, it would need to be chained with another vulnerability that can allow the exploit to escape the Chromium sandbox.

To test the exploit, BleepingComputer launched the Microsoft Edge and Google Chrome browsers with the --no-sandbox flag, which turns off the Chromium sandbox.

 

With the sandbox disabled, we could use Agarwal's exploit to launch Calculator on our Windows 10 device. Our tests' exploitable versions are Google Chrome 89.0.4389.114 and Microsoft Edge 89.0.774.76, which are the latest versions in the Stable channel.

 

 

This vulnerability is believed to be the same one used by Dataflow Security's Bruno Keith and Niklas Baumstark at Pwn2Own 2021, where the researchers exploited Google Chrome and Microsoft Edge.

 

getting popped with our own bugs wasn't on my bingo card for 2021. not sure it was too smart of Google to add that regression test right away... https://t.co/e0RUlmbxRK

— Niklas B (@_niklasb) April 12, 2021

 

Google is expected to release Chrome 90 to the Stable channel tomorrow, and we will have to see if the upcoming version includes a fix for this zero-day RCE vulnerability.

 

BleepingComputer has contacted Google about the zero-day but has not received a reply as of yet.

 

 

Source: Google Chrome, Microsoft Edge zero-day vulnerability shared on Twitter

[mood]

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

 

 

Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.

 

One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the Pwn2Own 2021 hacking contest last week.

 

While Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a working exploit over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release.

 

UPDATE: Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update.

"Even though both the flaws are different in nature, they can be exploited to gain RCE in the renderer process," Agarwal told The Hacker News via email. "I suspect that the first patch was released with the Chrome update because of the published exploit but as the second patch was not applied to Chrome, it can still be exploited."

 

Also resolved by the company is a use-after-free vulnerability in its Blink browser engine (CVE-2021-21206). An anonymous researcher has been credited with reporting the flaw on April 7.

 

 

"Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild," Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post.

 

It's worth noting that the existence of an exploit is not evidence of active exploitation by threat actors. Since the start of the year, Google has fixed three shortcomings in Chrome that have been under attack, including CVE-2021-21148, CVE-2021-21166, and CVE-2021-21193.

 

Chrome 89.0.4389.128 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.

 

 

Source: Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits