Updated with Google releasing a fix for this flaw.
Heads up: There's another serious security flaw in Google Chrome, Microsoft Edge and similar web browsers, with no fix available yet.
The flaw was revealed on Twitter yesterday (April 12) by security researcher Rajvardhan Agarwal, who posted an image of a locally housed web page "popping a calculator," i.e. demonstrating remote control of a PC by launching the calculator app.
- Chrome vs. Firefox vs. Edge: Which browser gobbles up the most RAM?
- Best internet security suites
- Plus: CS: GO could infect your PC with malware — and Valve hasn't fixed it
Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLRApril 12, 2021
Agarwal linked to a GitHub page from which you can download a proof-of-concept exploit — a benign hack — that you can try at home. Bleeping Computer (opens in new tab) replicated the flaw, as seen in the video below, although it didn't work for us for some reason.
In his initial tweet, Agarwal called the vulnerability a "zero-day" flaw, but that's not strictly correct as it's actually the same flaw that two other researchers used to hack into Chrome at the Pwn2Own hacking contest last week.
If you use one of these browsers, don't fret just yet. The exploit won't work on its own because Chromium-based browsers are "sandboxed" so that (most) exploits affecting them won't "escape" onto the full Windows, macOS or Linux system on which the browser is running.
Mobile versions of these browsers are also sandboxed, but there's no evidence that this affects them too.
Non-Chromium browsers such as Mozilla Firefox or Apple Safari are not affected by this flaw.
How to avoid this nasty hack
To get Agarwal's exploit to work, the browser sandbox has to be disabled. You can do that in Windows by typing the Chrome application filepath in a command-line window with the suffix "--no-sandbox". A new Chrome window will open with no sandbox protections.
Unfortunately, malware can disable the sandbox, too. An attacker could use another method to infect your PC, Mac or Linux box, and then the running malware could use Agarwal's exploit to disable sandbox and take over your machine.
There's no official timetable for when the fix for this flaw will be pushed out to Chrome, Edge and related browsers, but odds are it will be within the next few days. [See below.] Google has pushed out several other emergency updates to Chrome and Chromium in the past few months.
Update: Google patches the flaw
After this story was posted April 13, Google quietly pushed out an update (opens in new tab) that fixed the V8 flaw and another flaw related to the Blink browser rendering engine. The updated versions of Chrome and Chromium are both 89.0.4389.128.
Brave and Edge both appear to also have released updates based on the latest version of Chromium, Brave's version number matching Chromium's and Edge going to 89.0.774.76. As of this writing, Opera (75.0.3969.171) and Vivaldi (3.7.2218.52) were both using versions based on previous versions of Chromium.
To update Chrome, Edge or Brave, click the settings icon on the top right of the browser window and scroll down looking for something marked "About" at or near the bottom of the menu. "About" may also be hiding in a "Help" fly-out menu.
In Opera and Vivaldi, start by clicking the browser icon at the top left of the window, then scroll down to "Help" and click "About" in the fly-out menu.
When you select "About," a new tab will open that will either tell you that your browser is up-to-date or that you need to relaunch the browser to finish installing the update.
Linux users will generally have to run that day's update package from their distribution to get the latest version of their browser of choice.
The V8 flaw found by the Pwn2Own competitors was categorized by Google as due to "insufficient validation of untrusted input in V8 for x86_64."
The Blink flaw, credited to "Anonymous," was characterized simply as a "use after free in Blink." That means that it's possible to "reuse" memory freed up by Blink to attack Chromium.
Whoever "Anonymous" is, they'll get an unspecified amount of bug-bounty money from Google.
Sadly (or not) for Bruno Keith and Niklas Baumstark, the finders of the V8 flaw, they're ineligible for a Google bug bounty because they're already splitting $100,000 in prize money from their Pwn2Own win (opens in new tab).