Just one day ago an exploit was reported to abuse a critical vulnerability in the Chromium open source project, employed by some of the world’s most popular web browsers, including Chrome and Edge. Now, through Twitter a second remote code execution exploit was launched that affects any Chromium-based browser.
The report notes that this is a zero-day flaw, which means that an exploit has been released before those responsible for the compromised software could release a security update or patch. Zero-day flaws pose a very high security risk to users, as threat actors can deploy successful attacks while updates are ready.
Through his Twitter account, a specialist identified as “frust” launched a proof-of-concept (PoC) exploit for this Chromium-based flaw. According to its report, successful exploitation of the vulnerability causes the Notepad application to start on Windows systems.
This zero-day flaw was released just days after Google released Chrome version 89.0.4389.128, which contained security patches to address a different zero-day chromium flaw that was revealed on Monday.
Like the flaw revealed earlier this week, the zero-day vulnerability described by frust cannot dodge The Chromium sandbox on its own. This environment helps prevent exploits from running code or accessing files on the host system.
Hackers wishing to complete a successful attack must chain this zero-day flaw with an unmediated sandbox escape. In its publication, the PoC developer demonstrates its functionality by exploiting this flaw.
Shortly after the publication of the PoC, A group of specialists confirmed that the flaw works in current versions of Chrome and Edge by using the –no-sandbox argument to disable safe environment features: “By disabling sandbox, it is possible to arbitrarily start Notepad in Chrome 89.0.4389.128 and Edge 89.0.774.76,” the interview researchers noted for BleepingComputer.
Although Google planned to release Chrome 90 for desktop on April 13, the company decided to release a new update to address this vulnerability. On the other hand, microsoft’s steps to address Edge flaws are still unknown.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.