Exodus Intelligence security researcher István Kurucsai discovered and published a proof-of-concept of a vulnerability found in Google Chrome.
Although the security flaw has been patched in Chrome’s version 8 JavaScript engine, a fix hasn’t been developed for Chrome version 73 leaving at least an estimated billion users at risk. Kurucsai pointed out that this situation isn’t unique to Google, but said in his blog post it's important that users dig deep into a patch to know if it applies to an exploitable security vulnerability.
Skilled adversaries could use the gap between the zero day’s announcement and the release of the patch to launch a more effective attack, said Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team) told SC Media.
Young noted that some people on Twitter and members of the media have said the risk is rather limited from this PoC, due to the fact it does not include a sandbox escape, but he said it's important to note an attack can do a lot of damage without breaking out of the sandbox.
“For example, security researchers from social media giant Tencent, disclosed this month at the Black Hat Asia conference that they had identified several techniques by which an attacker can achieve persistence within the browser sandbox and use this access to create unexpected attacks which may enable spyware and account hijacks,” Young said.
“With the massive dominance of the Chrome browser, Google needs to find a way to close this window.”
Young said the the most obvious approach is to accelerate deployment cycles so patches are tested and released faster, but it is likely that some will also argue for stricter embargo. The vulnerability can be mitigated by disabling JavaScript execution.
