Chromium Zero-day Vulnerability
A security researcher named Rajvardhan Agarwal has shared a proof-of-concept work on Twitter recently, explaining the exploitation of a zero-day vulnerability in the V8 JavaScript engine in Chromium. As Chromium is the core used by many browsers like Microsoft Edge and Google Chrome, exploiting it can be disastrous.
— Rajvardhan Agarwal (@r4j0x00) April 12, 2021 The zero-day he discovered would let an attacker perform a remote code execution attack, and can compromise a system. Agarwal’s PoC HTML file included with a JavaScript file can trigger the vulnerability in a Chromium-based browser when loaded into it and launches the Windows calculator (calc.exe) program. A good thing here is that the exploit cannot escape a sandbox situation, and needs the help of additional bugs to overcome. Thus sandbox environments available in Chrome can easily thwart the exploitation and avoid remote code execution attacks. BleepingComputer has tested his zero-day discovery with sandbox disabled in Chrome and Edge browsers and succeeding in performing the attack. This is reported to happen even in the latest stable versions of Chrome (v89.0.4389.114) and Edge (v89.0.774.76) browsers, thus a patch should be coming soon. Agarwal said a patch for this is already made available in Chromium but should be rolling to Chrome browser yet. As Google is preparing to launch the v90 of Chrome tomorrow, we wait to check whether this zero-day vulnerability is patched or not. This zero-day is reportedly the same bug disclosed by researchers Bruno Keith and Niklas Baumstark from Dataflow Security, at Pwn2Own 2021 event.