Chrome Zero-Day Exploit Posted on Twitter

Chrome Zero-Day
Share It On:

27th April 2021, Kathmandu

The term “Zero-day” is an imaginative time, as this type of cyberattack happens in less than a day since the awareness of the security flaw. Thereby, not giving developers ample time to eradicate or mitigate the potential risks associated with this vulnerability.

Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today’s most popular web browser.

The version released on April 20th, 2021, to the Stable desktop channel for Windows, Mac, and Linux users will be rolling out to all users over the coming weeks.

“Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” the company’s announcement

A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.

Security researcher Rajvardhan Agarwal tweeted a  GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday.

“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes, you read that right.”

Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet.

However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included.

As of the time of publication, a Chrome update had not yet been released and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update.

Not Fully Weaponized

Security researchers Bruno Keith and Niklas Baumstark of Dataflow Security developed the exploit code for a type mismatch bug during last’s week’s contest and used it to successfully exploit the Chromium vulnerability to run malicious code inside Chrome and Edge. They received $100,000 for their work.

The exploit includes a PoC HTML file that, with its corresponding JavaScript file, can be loaded into a Chromium-based browser in order to launch the Windows calculator (calc.exe) program. Attackers would still need to escape the Chrome browser “sandbox,” a security container preventing browser-specific code from reaching the underlying OS, to complete full remote code execution, according to a published report from Recorded Future.

The researchers seemed surprised that Agarwal posted the exploit on Twitter, with Baumstark tweeting a response to Agarwal’s post on Monday. “Getting popped with our own bugs wasn’t on my bingo card for 2021,” he tweeted.

While the exploit code that Agarwal posted does indeed allow an attacker to run malicious code on a user’s operating system, he apparently was not unscrupulous enough to post a fully weaponized version of the code, according to The Record — he did not post a full exploit chain that would allow sandbox escape.

Still, the exploit as posted could still attack services that run embedded/headless versions of Chromium, where sandbox protections aren’t usually enabled, Agarwal told The Record.

The 2021 Pwn2Own spring edition, sponsored by Trend Micro’s Zero Day Initiative, was held online last week after organizers published a list of eligible targets for the contest in January. The contest drew multiple teams and included 23 hacking sessions against 10 different products from the list of predefined targets.

The teams had 15 minutes to run their exploit code and achieve RCE inside the targeted app, receiving various monetary awards — with $1.5 million in total prize money at stake — for each successful exploit from the contest’s sponsors as well as points towards the overall ranking.

Google fixed three other high severity vulnerabilities in Chrome 90.0.4430.85:

  • CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30
  • CVE-2021-21223: Integer overflows in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02
  • CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05
  • CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04

Meantime, you need to know what to do to protect yourself and your devices from this new zero-day vulnerability. It’s true, it isn’t much you can do about it at this moment, but if you are worried you can use Firefox or Safari instead.


Share It On:

Recent Posts

Citizens Bank 11.11 Deals: Exclusive Discounts on Daraz

Citizens Bank 11.11 Deals: Exclusive Discounts on Daraz

Share It On:5th November 2024, Kathmandu Citizens Bank International Limited signed an agreement with Nepal’s leading online marketplace, Daraz, to

Local Talent Shines in Cybersecurity: Bipu Ojha and Tuan Khuat Win CDU IT CodeFair CTF

Local Talent Shines in Cybersecurity: Bipu Ojha and Tuan Khuat

Share It On:5th November 2024, Kathmandu Bipu Ojha and his teammate Tuan Khuat have emerged as winners in the prestigious

CEDB Hydropower’s Extraordinary General Meeting Concluded: Five Directors Elected

CEDB Hydropower’s Extraordinary General Meeting Concluded: Five Directors Elected

Share It On: 5th November 2024, Kathmandu CEDB Hydropower Development Company Limited has successfully concluded its extraordinary general meeting. CEDB

Government’s Journalist Accident Insurance Program: Apply Now For Your Protection

Government’s Journalist Accident Insurance Program: Apply Now For Your Protection

Share It On: 5th November, Kathmandu The Department of Information and Broadcasting has announced the launch of a new insurance

Nepal Life’s Property Acquisition in Hetauda: A Strategic Move For Growth

Nepal Life’s Property Acquisition in Hetauda: A Strategic Move For

Share It On:5th November, Kathmandu Nepal Life Insurance, a leading life insurance company in Nepal, has recently expanded its footprint

Global IME Dividend Announcement: Key Book Closure Date Revealed

Global IME Dividend Announcement: Key Book Closure Date Revealed

Share It On:5th November 2024, Kathmandu Global IME Bank has good news for its shareholders! The bank has announced a