Exodus Intelligence security researcher István Kurucsai discovered and published a proof-of-concept of a vulnerability found in Google Chrome.
Skilled adversaries could use the gap between the zero day’s announcement and the release of the patch to launch a more effective attack, said Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team) told SC Media.
Young noted that some people on Twitter and members of the media have said the risk is rather limited from this PoC, due to the fact it does not include a sandbox escape, but he said it’s important to note an attack can do a lot of damage without breaking out of the sandbox.
“For example, security researchers from social media giant Tencent, disclosed this month at the Black Hat Asia conference that they had identified several techniques by which an attacker can achieve persistence within the browser sandbox and use this access to create unexpected attacks which may enable spyware and account hijacks,” Young said.
“With the massive dominance of the Chrome browser, Google needs to find a way to close this window.”