Google Chrome users who were relieved by patching the recent zero-day advisory are taken aback by the news of another PoC exploit posted on Twitter by a security researcher, Frust. This affects the recent version of Chrome, 89.0.4389.128, which was the fix for the first zero-day vulnerability of the week. The reporters claim even current versions of Microsoft Edge and other Chromium-based browsers also to be vulnerable to the attack. This recent zero-day posted on Twitter is not yet assigned with any CVE but is assigned with a chromium issue id 1195777. The PoC posted by the researcher is also uploaded on GitHub. It contains a video demonstrating the Remote Code Execution exploitation on Google Chrome version 89.0.4389.128 that triggered the issue to open the Windows Notepad application.
This vulnerability is brought to notice after the release of the first Chrome advisory of the week for fixing two zero-day vulnerabilities in it: CVE-2021-21206 and CVE-2021-21220. The Indian security researcher Rajvardhan Agarwal has released a PoC related to these two CVEs and announced its availability on Twitter.
Google Chrome’s browser engine Blink is the vulnerable component, which is used to convert HTML code to a beautiful webpage. The issue was reported by an anonymous person on 2021-04-07.
Google Chrome’s browser engine V8 for x86_64 is the vulnerable component, which is used to convert scripts to machine code without producing intermediate code. The issue was reported by Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) via ZDI (ZDI-CAN-13569) on 2021-04-07.
Google added in the advisory,
Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild.
Frust and the recent zero-day Remote Code Execution vulnerabilities cannot escape from Chromium’s sandbox security feature, which is used to prevent exploits from executing code or accessing files on host computers. The attackers need to chain these vulnerabilities with the sandbox escape exploit for the attack to succeed. Google Chrome released another advisory on April 14th, which fixed around 37 security vulnerabilities in version 90.0.4430.72. This advisory also dint talk about the Frust RCE zero-day issue 1195777 posted on Twitter. Unless the users disable the sandbox, Frust zero-day vulnerability in its default state cannot harm users. Chrome users may have to wait some time for the details to be published about this particular vulnerability.
Google Chrome version before 89.0.4389.128.
The Use after free and Insufficient validation of untrusted input vulnerabilities allows attackers to execute arbitrary code on the affected system.
Google has released the security updates addressing the issue in Google Chrome version 89.0.4389.128.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure.