Not much sooner after Google patched one publicly disclosed zero-day exploit in Chrome did another one pop up.
“Just here to drop a chrome 0day. Yes you read that right,” announced Twitter user “frust” earlier today (April 14).
The tweet included a link to a GitHub page containing JavaScript for a proof-of-concept web page that will exploit the flaw.
As frust demonstrated in a YouTube video, the web page will launch Windows Notepad in Chrome or a related browser. If it can do that, it can do anything the user can do.
Frust made clear to show that the exploit worked in Chrome version 89.0.4389.128, which was released yesterday (April 13).
This new vulnerability is deemed a “zero day” flaw because the software developers, in this case the Google staffers and volunteers working on the open-source Chromium project, had “zero days” to fix it before exploits began to appear “in the wild.”
Tom’s Guide can confirm that the proof-of-concept hack does indeed work in a fully patched version of Microsoft Edge, although we weren’t able to get it to work in Chrome.
Other Chromium-derived desktop browsers, such as Brave, Opera and Vivaldi are also at risk.
This comes two days after a different Twitter user posted a different Chrome flaw, although he dialed back the “zero-day” label after it emerged that he’d figured out a hack that had won at the Pwn2Own contest last week.
The version of Chrome released yesterday patches that flaw.
Stay in your sandbox, kid
As with the previous “zero-day,” there’s a catch with this one: The targeted browser has to have its sandboxing turned off.
Sandboxing prevents malicious processes in a browser from escaping out into the surrounding operating system, and sandbox “escapes” are desired achievements in hacking.
This exploit doesn’t quite make that illustrious roster. But if it were to be combined with another attack, perhaps via a separate malware infection, that was able to disable browser sandboxing, then a malicious website could reach out and run programs on your PC without your knowledge.
And because Chrome/Chromium flaws are often “platform agnostic,” there’s a good chance this flaw can be exploited on Macs and Linux boxes as well.
What to do about this
So what can you do about this? Not much at the moment, other than to use Firefox or Safari if you’re really worried. It’s unlikely any bad guys will be using this to attack Chrome or Edge in the short term.
Because a successful attack would need to be paired with a second exploit, running one of the best Windows 10 antivirus or best Mac antivirus programs will give you a significant amount of protection.
Google fixed the previous Chrome zero-day flaw in six days. Let’s hope its developers can fix this one a little faster.