RCE Vulnerability Affecting Older Versions of Chrome Will Remain Unpatched (remote code execution)

[LASER_oneXM]

A remote code execution vulnerability affects older versions of the Google Chrome browser, all except the current version — Chrome 60.

The flaw was discovered by a security researcher who wanted to remain anonymous and reached out to the Beyond Security’s SecuriTeam Secure Disclosure program to inform Google of the issue.

In a response to the company's bug report, Google told Beyond Security engineers they do not plan to address the vulnerability because it does not work in the most recent version, the only one Google's security team is interested in servicing.

Around 10% of Internet users still exposed
The release of the proof-of-concept code will cause problems in the future, as it will provide free ammo for tech support scammers, adware devs, and for developers of malicious Chrome extensions.

Google Chrome, overall, has a browser market share of around 59%. According to Web analytics firm Clicky, Chrome 60 accounts to 50% of those installations. This leaves nearly one in ten web users exposed to this flaw.

It is unclear if this issue also affects the Chromium project and other browsers where the V8 Turbofan optimizer was also included, so more users may be affected.


Upgrading to the latest Chrome 60 version will mitigate this flaw.