The Indian security researcher Rajvardhan Agarwal has publicly released a proof-of-concept exploit code for a recently discovered vulnerability that affects Google Chrome, Microsoft Edge, and other Chromium-based browsers (i.e. Opera, Brave).
The researchers uploaded the PoC code on GitHub and announced its availability via Twitter:
According to The Record, the PoC code released by the experts was the same exploited by the security duo composed of Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow during the Pwn2Own 2021 hacking contest.
The two experts earned $100,000 for demonstrating an exploit for Chrome and Microsoft Edge web browsers.
“The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.” states the post published on the official site of the competition.
The bad news is that the patch has yet to be implemented into official releases of the major Chromium-based browsers, including Chrome and Edge, that remain vulnerable to the attack.
The partially good news is that the code released by Agarwal only allows an attacker to run malicious code on a user’s operating system but is not able to escape the Chrome sandbox, which means that it could not be used to compromise the underlying machine.
Anyway, we cannot exclude that threat actors could chain the zero-day with a sandbox escape exploit to weaponize Agarwal’s PoC code.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Chrome zero-day)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.