An Indian safety researcher has publicly printed a proof-of-concept (PoC) exploit code for a newly found flaw impacting Google Chrome and different Chromium-based browsers like Microsoft Edge, Opera, and Courageous.

Launched by Rajvardhan Agarwal, the working exploit considerations a distant code execution vulnerability within the V8 JavaScript rendering engine that powers the net browsers. It’s believed to be the identical flaw demonstrated by Dataflow Safety’s Bruno Keith and Niklas Baumstark at Pwn2Own 2021 hacking contest final week.

password auditor

Keith and Baumstark had been awarded $100,000 for leveraging the vulnerability to run malicious code inside Chrome and Edge.

In line with the screenshot shared by Agarwal, the PoC HTML file, and its related JavaScript file, may be loaded in a Chromium-based browser to use the safety flaw and launch the Home windows calculator (calc.exe) app. Nevertheless it’s value noting that the exploit must be chained with one other flaw that may permit it to flee Chrome’s sandbox protections.

It seems that Agarwal was in a position to put collectively the PoC by reverse-engineering the patch that Google’s Chromium crew pushed to the open-source element after particulars of the flaw had been shared with the corporate.

password auditor

“Getting popped with our personal bugs wasn’t on my bingo card for 2021,” Baumstark tweeted. “Undecided it was too sensible of Google so as to add that regression take a look at instantly.”

Whereas Google has addressed the difficulty within the newest model of V8, it is but to make its option to the secure channel, thereby leaving the browsers weak to assaults. Google is predicted to ship Chrome 90 later as we speak, nevertheless it’s not clear if the discharge will embody a patch for the V8 flaw.

We now have reached out to Google, and we are going to replace the story if we hear again.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.