Critical vulnerability in SQLite; you should update now

Share this…

This software is used by thousands of organizations in the world

Digital forensics specialists from the International Cyber Security Institute report the discovery of a critical vulnerability in the SQLite software, a widely used database engine; according to reports, the vulnerability could expose millions of implementations to multiple cyberattacks.

The SQLite vulnerability, nicknamed “Magellan” by the expert team that discovered it, would allow a remote attacker to execute malicious or arbitrary codes on compromised devices, leak program memory, or block applications.

SQLite is a lightweight, widely-used, disk-based relational database management system that requires minimal support from external operating systems or libraries, and is therefore compatible with almost any device, platform, or programming language, the experts in digital forensics mention.

Currently, SQLite is used by millions of applications and, therefore, by billions of implementations, including Internet of Things (IoT) devices, macOS and Windows applications, in addition to the most used search engines, the Adobe software, Skype and many other platforms.

Since Chromium-based web browsers, such as Chrome, Opera, and Brave, are also compatible with SQLite through the SQL Web database API, considered obsolete, a remote attacker could easily attack users of affected browsers, only by convincing them to visit a specially designed website.

“After confirming that vulnerability also affected Chromium, a Google Digital forensics team solved the flaw”, it was mentioned in the company’s blog.

The SQLite team launched the updated version of its 3.26.0 software to correct the vulnerability after receiving the report from the cybersecurity experts. On the other hand, Google has launched the 71.0.3578.80 version of Chromium to solve the problem.

Specialists in a cybersecurity firm claim that they managed to successfully designed an exploit proof of concept and tested it against Google Home, the company’s smart speaker. Because most applications will not be updated shortly, research experts decided not to disclose further details about vulnerability or proof of concept.

SQLite is used by Adobe, Apple, Dropbox, Firefox, Android and many other developments, so this vulnerability is considered a critical problem, although there is still no evidence that it has been exploited in the wild.

Cybersecurity specialists recommend users and administrators to update their systems and install security patches as soon as they are available.