They discover a zero-day vulnerability that affects the latest versions of browsers powered by Chromium

Microsoft and Google are working hand in hand on the development of Chromium. A work that has its advantages, as we saw the other day by evoking the solution of the failure that affected YouTube in Windows 10, but also another problem. This is the case of a zero-day threat that affects both browsers.

A risk that can affect both Edge and Chrome and is in fact functional in the most recent versions of both browsers. A threat discovered by a security researcher that can allow remote code execution and therefore launch any application or program without the user activating it.

For Chromium-based browsers

Twitter researcher Rajvardhan Agarwal @ r4j0x00 has discovered and fixed a vulnerability in Edge and Chrome that can facilitate remote code execution. A bug that is functional in the current version of Google Chrome and Microsoft Edge.

This is a remote code execution vulnerability for the V8 JavaScript engine in Chromium-based browsers, which, although fixed in the latest version of the V8 JavaScript engine, has not yet been released. implemented in both browsers.

Right here to drop a 0day chrome. Yes you read that right https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLR

– Rajvardhan Agarwal (@ r4j0x00) April 12, 2021

The bug works when a PoC HTML code and the corresponding JavaScript file are loaded in a Chromium-based browser. The researcher used the vulnerability to start the Windows compute program, but this can make it easier to load any program.

The positive part is that this flaw is difficult to execute, as it is limited to Chromium’s sandbox mode, which isolates the process from the rest of the system, so that an attacker cannot access the rest of the applications and system functions. . To do this, it is necessary to use the flags command and the –no-sandbox command to disable sandbox mode.

New updates to both browsers are expected to already have the new, already patched version of Chromium’s V8 JavaScript rendering engine, with Chrome 90, launching tomorrow, being the one that fixes it first.

Via | Bleeping computer

Back to top button