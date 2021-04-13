web
They discover a zero-day vulnerability that affects the latest versions of Chromium-powered browsers

Microsoft and Google collaborate hand-in-hand on the development of Chromium. A job that has its advantages, as we saw the other day when talking about the solution of the failure that affected YouTube in Windows 10, but also some other problem. This is the case of a zero-day threat that affects both browsers.

A risk that can affect both Edge and Chrome and that is in fact functional in the most current versions of both browsers. A threat discovered by a security researcher that can allow remote code execution and therefore start any application or program without the user activating it.

For Chromium-based browsers

Safety

Researcher Rajvardhan Agarwal @ r4j0x00 on Twitter, has discovered and corrected a vulnerability in Edge and Chrome that can facilitate remote code execution. A failure that is functional in the current version of Google Chrome and Microsoft Edge.

This is a remote code execution vulnerability for the JavaScript V8 engine in Chromium-based browsers that, although is fixed in the latest version of the V8 JavaScript engine, has not yet been implemented in both browsers.

The bug works when a PoC HTML and the corresponding JavaScript file are loaded in a Chromium-based browser. The researcher used the vulnerability to start the Windows calculator program, but can facilitate the loading of any program.

The positive part is that this bug is difficult to execute, since is limited to Chromium sandbox mode which isolates the process from the rest of the system, so an attacker cannot access the rest of the applications and functions of the system. To make it possible it is necessary to use the flags command and the command –No-sandbox to disable sandbox mode.

Hopefully new updates for both browsers already have the new version, already corrected, of Chromium’s JavaScript V8 rendering engine, being Chrome 90, released tomorrow, the one that corrects it first.

Via | Bleeping Computer

