Soon after Google patched a publicly disclosed zero-day flaw in Google Chrome, another one has popped up on the Google web browser. The exploit was first spotted by a user on Twitter who goes by the name “frust” (via Tom’s Guide). “Just here to drop a Chrome 0day. Yes, you read that right,” the Twitter user said on Wednesday. Frust also shared a GitHub link for a page that contained JavaScript for a proof-of-concept web page that will exploit the flaw. Frust also demonstrated in a YouTube video, that the web page will launch Windows Notepad in Chrome or a related browser. If it can do that, it can do anything the user does. The tipster said that the exploit worked in Chrome version 89.0.4389.128, which was released on April 13.
The new vulnerability is being categorised as a “zero-day” flaw because the software developers had “zero days” to fix it. The Tom’s Guide report also said that the proof-of-concept hack works in a fully patches version of Microsoft Edge. It also said that other Chromium-based browsers like Brace, Opera, and Vivaldi are also at risk. As with previous “zero-day” flaws, this one also comes with a condition – the targeted browser has to have its sandboxing turned off. Sandboxing is a process that prevents malicious processes in a browser from escaping into the surrounding operating system. “Escaping” a sandbox is considered as an achievement in hacking. The newly-found exploit isn’t able to escape the Sandbox.
So, what can users do to protect themselves and their machines from the zero-day flaw? Currently, there isn’t much to do about this flaw, except using Firefox or Safari instead. However, it is unlikely that malicious hackers will be using this flaw to attach Chrome or Edge in the short term. Google had fixed the previous zero-day flaw in six days, hence, it can be expected that the company will do something about this in a similar time-frame.
Read all the Latest News and Breaking News here

You may also like