Indian security researcher Rajvardhan Agarwal recently published a proof-of-concept code for a brand new vulnerability affecting Google Chrome, Microsoft Edge, Brave, and Opera (all Chromium-based).
The vulnerability resides in the V8 JavaScript engine, and it’s most likely the same flaw, demonstrated during Pwn2Own 2021 by Dataflow Security’s researchers Bruno Keith and Niklas Baumstark. The two researchers won $100,000 from the hacking contest for successfully exploiting the vulnerability to run malicious code within Chrome and Edge browsers.
Agarwal’s Proof-of-Concept Exploit Code for the New Chromium Flaw
The Indian researcher shared a screenshot on Twitter, which reveals that the proof-of-concept HTML and JavaScript files can be both loaded in a Chromium-based browser. Loading these files will initiate the vulnerability exploit and will also launch the Windows calculator app. However, the exploit needs to chained with another vulnerability to circumvent Chrome’s sandbox protections.
How did Agarwal come up with the PoC code?
The researcher most likely reverse-engineered the patch released by Chromium’s team shortly after details of the vulnerability were shared with Google.
Indeed, a patch has been released by Google addressing the flaw in V8’s latest version. However, the patch hasn’t been applied to the stable channel, creating an opportunity for hackers to exploit vulnerable browsers. You should be on the lookout for Chrome 90 which should be released later today.
Last year, Google patched another bug in Chrome for desktop – CVE-2020-16009, described as an inappropriate implementation flaw in V8. The bug was exploited in remote execution attacks through a crafted HTML page.
Protection against vulnerabilities in Chromium-based browsers
On the positive side, Google and Microsoft are planning a new improvement of the security of Microsoft Edge and Google Chrome. Both Chrommium-based browsers will support a new security feature provided by Intel. The so-called CET feature, or Control-flow Enforcement Technology will prevent vulnerabilities.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: