Skip to main content

This security flaw affects both Google Chrome and Microsoft Edge

Lock
(Image credit: Shutterstock)

A security researcher has published a proof-of-concept (PoC) exploit on Twitter for a recently discovered zero-day vulnerability in Google Chrome, Microsoft Edge and other Chromium-based browsers.

While this zero-day vulnerability has already been publicly disclosed, it has not yet been patched in the latest version of Chrome or Edge.

Security researcher Rajvardhan Agarwal created the PoC exploit for a remote code execution vulnerability for the V8 JavaScript engine found in Chromium-based browsers and published it in a tweet. Although the vulnerability has been fixed in the latest version of the V8 JavaScript engine, it's still unclear as to when Google will add it to Chrome.

The PoC HTML file created by Agarwal and its corresponding JavaScript file can be used to launch the calculator app on Windows 10 when loaded in a Chromium-based browser. However, the exploit is limited to running in the browser's sandbox which prevents remote code execution vulnerabilities from launching programs on a host computer.

Zero-day exploit

In order for Agarwal's exploit to work, it needs to be chained to another vulnerability that could allow it to get out of of the Chromium sandbox. To test the exploit, BleepingComputer launched both Chrome and Edge with the –no-sandbox flag enabled and from there, the news outlet was able to use the exploit to launch the calculator on a system running Windows 10.

Although releasing a zero-day exploit on Twitter is controversial on its own, some users on the social network took issue with the fact that Agarwal didn't credit Bruno Keith and Niklas Baumstark from Dataflow Security that first discovered the vulnerability. However, Agarwal claims that he wasn't aware that they had discovered the vulnerability when releasing his exploit.

Google is expected to release Chrome 90 to the Stable channel soon and we'll have to wait to see if the upcoming version of its browser includes a fix for this remote code execution vulnerability.

Via BleepingComputer