KEY POINTS

  • Zero-day flaw operates when combined with PoC and HTML file
  • The bug works on both Microsoft Edge and Google Chrome
  • Users must keep their sandboxes on to keep their devices protected

Over the past two days, discussions about zero-day vulnerability have been rife on Twitter after two security researchers individually dropped remote code execution flaws that could work on Microsoft Edge and Google Chrome.

For the uninitiated, a zero-day remote code execution flaw is a security bug unveiled on previous versions yet remained unpatched on the latest update of the affected version. On April 13, Rajvardhan Agarwal, a security researcher, posted a Twitter update with a link to a zero-day vulnerability.

The term zero-day vulnerability apparently refers to the amount of time given to the software developers to fix the bug. The team behind Google had zero days to fix and prevent the exploit from spreading around in the wild.

Agarwal’s zero-day vulnerability works by launching the Windows calculator. However, in order to launch the program, the vulnerability needs to be exploited first by loading the proof of concept (PoC) HTML along with the JavaScript file on a Chromium-based browser.

The security researcher then claimed that the latest version of the V8 JavaScript engine brought fixes to the bug. Toms Guide confirmed that the latest Chrome version release patched the flaw.

Meanwhile, on April 14, a Twitter user with the handle “frust” posted an update saying “another chrome 0day,” with a link to another Github page with JavaScript for a proof of concept web page.

Almost similar to how Agarwal’s zero-day vulnerability works, frust’s demonstration, launches the Windows Notepad in Chrome. The bug specifically works on Chrome version 89.0.4389.128, its April 13 release.

No serious harm was spotted yet although the ability to launch a program on Windows should already cause concerns to some. Chances are if the bug is combined with another attack that can disable the security boundary, malicious websites could freely penetrate and launch programs on computers running on Microsoft Edge or Google Chrome Tom’s Guide reported.

Bleeping Computer clarified that Agarwal’s zero-day flaw cannot completely penetrate a host computer as it cannot surpass the Chrome sandbox -- a security boundary that prevents malicious processes from spreading into the surrounding operating system.

This means that in order to avoid the zero-day vulnerability, Google Chrome and Microsoft Edge users must keep their sandbox on.

Google Chrome Phone
Ads are unavoidable but preventable. Pictured: In this photo illustration the app of Google Chrome is displayed on a smartphone on March 3, 2018 in Berlin, Germany. The left-wing organizers of the event cited Google's profit-oriented mass collection of personal data about people as well as the gentrification locals fear will accelerate should the Google Campus open. Google is reportedly planning to open a Google Campus, which is meant to create a venue for startups and technological exchange, this summer in a building that once housed an electric relay station in the heart of Kreuzberg. Getty Images/Carsten Koall
RELATED STORIES
Google chrome