RCE Exploit Launched for Unpatched Chrome, Opera, and Courageous Browsers

An Indian safety researcher has publicly printed a proof-of-concept (PoC) exploit code for a newly found flaw impacting Google Chrome and different Chromium-based browsers like Microsoft Edge, Opera, and Courageous.

Launched by Rajvardhan Agarwal, the working exploit considerations a distant code execution vulnerability within the V8 JavaScript rendering engine that powers the net browsers. It’s believed to be the identical flaw demonstrated by Dataflow Safety’s Bruno Keith and Niklas Baumstark at Pwn2Own 2021 hacking contest final week.

password auditor

Keith and Baumstark had been awarded $100,000 for leveraging the vulnerability to run malicious code inside Chrome and Edge.

In accordance with the screenshot shared by Agarwal, the PoC HTML file, and its related JavaScript file, might be loaded in a Chromium-based browser to use the safety flaw and launch the Home windows calculator (calc.exe) app. Nevertheless it’s value noting that the exploit must be chained with one other flaw that may enable it to flee Chrome’s sandbox protections.

It seems that Agarwal was capable of put collectively the PoC by reverse-engineering the patch that Google’s Chromium group pushed to the open-source element after particulars of the flaw had been shared with the corporate.

password auditor

“Getting popped with our personal bugs wasn’t on my bingo card for 2021,” Baumstark tweeted. “Undecided it was too sensible of Google so as to add that regression take a look at straight away.”

Whereas Google has addressed the problem within the newest model of V8, it is but to make its solution to the secure channel, thereby leaving the browsers weak to assaults. Google is anticipated to ship Chrome 90 later at the moment, however it’s not clear if the discharge will embrace a patch for the V8 flaw.

We’ve reached out to Google, and we are going to replace the story if we hear again.

Source link