Chrome and Edge hacked by new zero-day flaw — what to do

Google Chrome
(Image credit: Shutterstock)

Not much sooner after Google patched one publicly disclosed zero-day exploit in Chrome did another one pop up. 

"Just here to drop a chrome 0day. Yes you read that right," announced Twitter user "frust" earlier today (April 14). 

The tweet included a link to a GitHub page containing JavaScript for a proof-of-concept web page that will exploit the flaw. 

As frust demonstrated in a YouTube video, the web page will launch Windows Notepad in Chrome or a related browser. If it can do that, it can do anything the user can do. 

Frust made clear to show that the exploit worked in Chrome version 89.0.4389.128, which was released yesterday (April 13).

This new vulnerability is deemed a "zero day" flaw because the software developers, in this case the Google staffers and volunteers working on the open-source Chromium project, had "zero days" to fix it before exploits began to appear "in the wild."

Tom's Guide can confirm that the proof-of-concept hack does indeed work in a fully patched version of Microsoft Edge, although we weren't able to get it to work in Chrome. 

Other Chromium-derived desktop browsers, such as Brave, Opera and Vivaldi are also at risk. 

This comes two days after a different Twitter user posted a different Chrome flaw, although he dialed back the "zero-day" label after it emerged that he'd figured out a hack that had won at the Pwn2Own contest last week. 

The version of Chrome released yesterday patches that flaw.

Stay in your sandbox, kid

As with the previous "zero-day," there's a catch with this one: The targeted browser has to have its sandboxing turned off. 

Sandboxing prevents malicious processes in a browser from escaping out into the surrounding operating system, and sandbox "escapes" are desired achievements in hacking. 

This exploit doesn't quite make that illustrious roster. But if it were to be combined with another attack, perhaps via a separate malware infection, that was able to disable browser sandboxing, then a malicious website could reach out and run programs on your PC without your knowledge. 

And because Chrome/Chromium flaws are often "platform agnostic," there's a good chance this flaw can be exploited on Macs and Linux boxes as well.

What to do about this

So what can you do about this? Not much at the moment, other than to use Firefox or Safari if you're really worried. It's unlikely any bad guys will be using this to attack Chrome or Edge in the short term. 

Because a successful attack would need to be paired with a second exploit, running one of the best Windows 10 antivirus or best Mac antivirus programs will give you a significant amount of protection.

Google fixed the previous Chrome zero-day flaw in six days. Let's hope its developers can fix this one a little faster.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • khelban
    Another browser I have checked.

    AVG Secure Browser is up to date
    Version 89.1.8954.116 (Official Build) (64-bit)

    According to AVG this is a chrome based browser.
  • kep55
    One can avoid most if not all of these exploits by:
    NOT clicking on every URL that pops up on your screen;
    Use common sense;
    Never open emails from unknown people (AOL still lets you see the mail header & source with right-click. No one seems to care about the little bit of security.)
    Never open attachments to any messages from any social site or not requested by yourself.