In a daily investigating routine, a security researcher, Rajvardhan Agarwal from India has noted a new zero-day vulnerability code execution affecting major web browsers.
According to the report, this new zero-day vulnerability is affecting the very new version of Google Chrome, Microsoft Edge, and other Chromium-powered browsers like Opera and Brave.
Rajvardhan noted that this new zero-day flaw has been affecting many tech giants for a long time, and this PoC exploit was actually developed for a vulnerability exploited in the Pwn2Own hacking competition.
Unpatched zero-day vulnerability
After knowing regarding the vulnerability, Rajvardhan Agarwal immediately published a working proof-of-concept for all the remote code execution. The new PoC was initially released for the V8 JavaScript engine that is present in the Chromium-based browser.
After launching the new PoC for remote code execution, the security analyst Rajvardhan described the PoC HTML file. The analyst remarked that when the files are loaded in Chromium-based browsers, it will eventually exploit the vulnerability.
Once the vulnerability gets launched, it starts launching the Windows calculator program. However, the most important part of the PoC release is that the zero-day vulnerability of Agarwal’s is not escaping the browser’s sandbox.
According to the security researcher, Rajvardhan Agarwal, the Chrome sandbox is the browser security that plays the role of boundary, and help the sandbox to protect them from all kind of remote code execution vulnerability.
Not only this, but the experts also affirmed that the browser security launch different programs on the host computer so that it will ensure its protection from the vulnerabilities.
The Zero-day that is launched by Agarwal needs to be chained with some other vulnerability so that it can enable all kinds of exploits to evade the Chromium sandbox.
Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLR
— Rajvardhan Agarwal (@r4j0x00) April 12, 2021
Along with the disabled sandbox, Agarwal’s exploit can be used together to launch the calculator on Windows 10; not only this but the experts also declared that all the procedures are to be maintained properly so that it can execute its job correctly.
After performing the test, the specialists easily exploited the latest versions that are Google Chrome 89.0.4389.114 and Microsoft Edge 89.0.774.76.
Now Google will launch its Chrome 90, a new version to stable the conflicts that are being faced by the users and the company. Once the new version is released, everyone can see that if the new version contains any fix for this zero-day RCE vulnerability.
Moreover, researchers believe that Agarwal’s PoC release had helped them very much, and now they are trying their best to patch the flaw.
