A security researcher has shared a zero-day vulnerability found in the Chromium engine, which powers popular browsers like Microsoft Edge and Google’s Chrome. The proof-of-concept code chained with other vulnerabilities can let an attacker execute a remote code even in the latest version of these browsers. He says the bug was now secured in Chromium, but yet to arrive for Chrome.
Chromium Zero-day Vulnerability
— Rajvardhan Agarwal (@r4j0x00) April 12, 2021
A good thing here is that the exploit cannot escape a sandbox situation, and needs the help of additional bugs to overcome. Thus sandbox environments available in Chrome can easily thwart the exploitation and avoid remote code execution attacks. BleepingComputer has tested his zero-day discovery with sandbox disabled in Chrome and Edge browsers and succeeding in performing the attack.
This is reported to happen even in the latest stable versions of Chrome (v89.0.4389.114) and Edge (v89.0.774.76) browsers, thus a patch should be coming soon. Agarwal said a patch for this is already made available in Chromium but should be rolling to Chrome browser yet.
As Google is preparing to launch the v90 of Chrome tomorrow, we wait to check whether this zero-day vulnerability is patched or not. This zero-day is reportedly the same bug disclosed by researchers Bruno Keith and Niklas Baumstark from Dataflow Security, at Pwn2Own 2021 event.