A zero-day vulnerability is founded in a security bug that was publicly posted on Twitter and the bug is not patched in the updates of the released version yet.
A security researcher has applied a zero-day remote code execution vulnerability on Twitter that is working on the current version of Google Chrome and Microsoft Edge.
However, Rajvardhan Agarwal also issued a proof-of-concept (POC) exploit a remote code execution vulnerability that was for the V8 JavaScript engine in Chromium-based browsers.
The security researcher also states that the vulnerability founded is now fixed in the latest version of the V8 JavaScript engine and it is still not known that when Google will fix this vulnerability present in Google Chrome.
Whereas, the PoC HTML file is similar to the JavaScript file that is also concluded in Chromium-based browser and it will exploit the bugs while executing the Windows calculator program.
Meanwhile, the developer will not like the zero-day updates to the software and the most important thing is that the researcher zero-day cannot be revoked sandbox browser. The Chrome sandbox is defined as the browser security boundary that revokes the remote code execution of vulnerabilities while initiating the programs on the computer.
The zero-day RCE exploit will not be linked with other vulnerabilities that can assist the exploit to escape the Chromium sandbox.
While verifying the exploit, the expert launch the Microsoft Edge and Google Chrome browsers with the help of a flag named as –no-sandbox, and its turns off while using the Chromium sandbox.
As the sandbox is disabled, the expert also uses the exploit to launch the Calculator on the Windows 10 devices. The exploit version founded in Google Chrome is identified as 89.0.4389.114 and in Microsoft Edge is named as 89.0.774.76 which is also identified as the latest version in the Channel.
Summering Up
The vulnerability was using the same as used by the Dataflow Security by Bruno Keith and Niklas Baumstark at PWN2OWN 2021, and the researchers exploit Google Chrome and Microsoft Edge.
Google is also going to release the Chrome 90 to Stable the channel and they will see the upcoming version that holds the fix for this zero-day RCE vulnerability.
