The vulnerability allows remote execution of arbitrary code on the attacked system.
On Thursday, April 4, Exodus Intelligence security researcher István Kurucsai published a PoC exploit and a demo video for an unpatched vulnerability in Google Chrome. The vulnerability allows an attacker to remotely execute arbitrary code on the victim's system. The issue has already been fixed in V8 (the browser's JavaScript engine), but the patch has not yet been added to the stable version of Chrome 73, which is used on more than 1 billion devices.
The reason why the researcher decided to publish the PoC exploit before fixing the vulnerability is to demonstrate flaws in the patching process. According to Kuruchai, while Google is working on fixes, attackers have time to create exploits and attack users.
The patch delay is due to the Chrome supply chain, which involves importing and testing code from various sources. In the case of the vulnerability in the V8 engine, the fix was ready on March 18, after which it became available in the project changelog and the V8 source code. However, the patch has not yet been added to the browser itself.
The update is currently going through all the build stages, including integration with the Chromium project, integration with the Chrome codebase, testing in Chrome Canary and Chrome Beta, and only after that the patch will be added to the stable version of the browser. As a result, attackers have a "window" from several days to several weeks, when the details of the vulnerability are already known, but the stable version of Chrome has not yet received an update.
The PoC exploit published by the researcher in its current form is relatively harmless. Kuruchay deliberately did not add the sandbox bypass capability required for code execution. However, attackers can use it in conjunction with old sandbox bypass vulnerabilities and execute code on the attacked system.
exp.html
exp.js
On Thursday, April 4, Exodus Intelligence security researcher István Kurucsai published a PoC exploit and a demo video for an unpatched vulnerability in Google Chrome. The vulnerability allows an attacker to remotely execute arbitrary code on the victim's system. The issue has already been fixed in V8 (the browser's JavaScript engine), but the patch has not yet been added to the stable version of Chrome 73, which is used on more than 1 billion devices.
The reason why the researcher decided to publish the PoC exploit before fixing the vulnerability is to demonstrate flaws in the patching process. According to Kuruchai, while Google is working on fixes, attackers have time to create exploits and attack users.
The patch delay is due to the Chrome supply chain, which involves importing and testing code from various sources. In the case of the vulnerability in the V8 engine, the fix was ready on March 18, after which it became available in the project changelog and the V8 source code. However, the patch has not yet been added to the browser itself.
The update is currently going through all the build stages, including integration with the Chromium project, integration with the Chrome codebase, testing in Chrome Canary and Chrome Beta, and only after that the patch will be added to the stable version of the browser. As a result, attackers have a "window" from several days to several weeks, when the details of the vulnerability are already known, but the stable version of Chrome has not yet received an update.
The PoC exploit published by the researcher in its current form is relatively harmless. Kuruchay deliberately did not add the sandbox bypass capability required for code execution. However, attackers can use it in conjunction with old sandbox bypass vulnerabilities and execute code on the attacked system.
exp.html
exp.js
