Second Exploit for Chrome And Edge Published This Week

For the second time this week, security researchers posted a proof-of-concept exploit to run malicious code in Chrome, Edge, Vivaldi, Opera, and other Chromium-based browsers. The V8 JavaScript vulnerability has already been fixed in its source code, but the fix has yet to be integrated in either the Chromium codebase or projects using it.

The exploit’s authors failed to provide any information about its creation, but the most likely explanation is that they reviewed the V8 changelog and collected proof of concept code for one of the fixed vulnerabilities. The vulnerability was discovered by an Indian security researcher, Rajvardhan Agarwal, who published an exploit earlier this week for Chrome, Edge, Vivaldi, Opera, and other Chromium-based browsers. The PoC code was created to demonstrate the vulnerability found during the Pwn2Own competition a week earlier. Both Google and Microsoft recognized the vulnerability and patched it.

As with Rajwardhan Agarwal's demo code, the new exploit is also incomplete and provides only the second part of the attack, which is code execution. A successful attack will also require another exploit for evading the browser sandbox. However, when combined with another exploit to bypass the sandbox or to attack an application that uses the embedded / text-based version of Chromium-based browsers, the vulnerability can be exploited to gain full control of the system through a classic buffer overflow.

Previous Post Next Post