Chrome and Edge Hacked by New Zero—Day Flaws - What to Do

Chrome and Edge Hacked by New Zero—Day Flaws - What to Do

Shortly after Google patched the publicly disclosed Chrome zero-day vulnerability, another one appeared.

"We just came to drop a zero-day in Chrome. Yes, that's right," announced Twitter user "frust" earlier today (April 14). [The tweet included a link to a GitHub page containing JavaScript for a proof-of-concept web page that exploits the flaw.

As frust showed in the YouTube video, the web page launches Windows Notepad in Chrome or related browsers. Once that is done, anything the user can do can be done.

Frust revealed that the exploit works in version 89.0.4389.128 of Chrome, which was released yesterday (April 13).

This new vulnerability is considered a "zero-day" flaw. This is because software developers, in this case Google staff and volunteers working on the open source Chromium project, had a "zero-day" grace period to fix the exploit before it started circulating "out in the wild."

Tom's Guide could not be made to work in Chrome, but a fully patched version of Microsoft Edge can confirm that the proof-of-concept hack does indeed work.

Other Chromium-derived desktop browsers, including Brave, Opera, and Vivaldi, are also at risk.

This comes two days after another Twitter user posted another Chrome flaw, but dropped the "zero-day" label after it was revealed that he had figured out the hack that won last week's Pwn2Own contest.

A version of Chrome released yesterday patches that flaw.

As with the previous "zero-day," there is a catch to this issue: the targeted browser's sandbox must be turned off.

Sandboxing prevents malicious processes in the browser from escaping to the surrounding operating system, and sandbox "escaping" is a desirable outcome in hacking.

This exploit does not make such a glorious list. However, when combined with another attack that can disable the browser's sandbox, perhaps through another malware infection, a malicious website could reach your PC and run a program without your knowledge.

Also, since the Chrome/Chromium flaw is often "platform-independent," it is quite possible that this flaw could be exploited on Mac or Linux as well.

So what can be done about this? At the moment, there isn't much you can do except use Firefox or Safari if you are really worried. In the short term, the bad guys will not use this to attack Chrome or Edge.

If the attack is successful, running either the best Windows 10 antivirus or the best Mac antivirus program will provide significant protection, as it will need to be combined with a second exploit.

Google had six days to fix the previous Chrome zero-day flaw. Let's hope Google's developers can fix this flaw a little faster.

Categories