Google’s Chrome is a popular browser out there. While it’s being used by billions daily, one of the browser’s components was supposedly vulnerable to let attackers exploit the user data by executing malicious code remotely. The vulnerability was discovered recently and has been addressed.
The Magellan 2.0 Vulnerability
Termed as Magellan 2.0, this vulnerability, if exploited, can let an attacker execute malicious code remotely and can cause leaking program memory or program crashes. This check is surfaced by Tencent Blade Team from China, which was the same group that discovered its predecessor, Magellan 1.0.
The team says the browsers based on chromium and services using SQLite databases can be attacked. SQLite stores various browser settings and user data within. Any user visiting malicious sites that feed the SQLite’s database with improper inputs/commands can be hacked. If done successfully, a hacker can operate it remotely.
The new vulnerabilities are identified as
It’s okay if your device isn’t accepting external SQL queries, but having browsers with WebSQL or older SQLite functions can be exploited. Below are a few services that can be attacked:
- Chrome/Chromium prior to version 79.0.3945.79 (Here in after referred to as “old version”).
- Smart devices using an old version of Chrome/Chromium.
- Browsers built with the old version of Chromium/Webview.
- Android Apps that uses an old version of Webview and can access any web page.
- Software that uses the old version of Chromium and can access any web page.
Following the vulnerability disclosure process, Tencent Blade Team decided not to disclose further details of this glitch yet. They’d be doing this after 90days as specified.
Things To Do
Updating as usual. As Tencent has already informed Google and SQLite teams, they’ve released security patches in their latest updates. For Chrome, latest patch as version 79.0.3945.79 or (79.0.3945.73 in Android) has been released on December 13th which can be downloaded from Playstore, Appstore and respective browser stores for web versions.
Source: Tencent Blade Team