Researcher publishes Google Chrome exploit

[silversurfer]

Content source

https://www.zdnet.com/article/researcher-publishes-google-chrome-exploit/

Vulnerability patched in Chrome's V8 JavaScript engine, but the fix has not yet reached the Chrome stable branch.

A security researcher has published today proof-of-concept code for an unpatched Google Chrome vulnerability.

The security flaw has been fixed in V8, Chrome's JavaScript engine, but the fix has not yet reached the browser's stable version --v73-- the one used by an estimated over one billion users.

CHROME'S PATCH DELAY PROBLEM
The exploit code was put together by István Kurucsai, a security researcher for Exodus Intelligence, and released today on GitHub, along with a demo video (see above).

The reason why the researcher published this proof-of-concept exploit code was to highlight a glaring hole in Google's patching process, which allows for a small interval of time during which attackers can develop Chrome exploits and launch attacks on users.

This gap comes from Chrome's IT supply chain, which involves importing and testing code from different open source projects.

In this case, Google engineers fixed a V8 security issue on March 18, which it later become public in the V8 project's changelog and source code, but had yet to reach the Chrome Stable release.

This patch is currently traveling the Chrome assembly line, which involves being integrated into the Chromium open-source browser project, and then integrated into the Chrome codebase, and then tested in Chrome Canary and Chrome Beta releases before reaching the final Stable branch in the form of a patch.

"As a result of its open-source development model, while security fixes are immediately visible in the source tree, they need time to be tested in the non-stable release channels of Chrome before they can be pushed out via the auto-update mechanism as part of a stable release to most of the user-base," Kurucsai said today in a report he published on the Exodus Intelligence website.

"In effect, there's a window of opportunity for attackers ranging from a couple days to weeks in which the vulnerability details are practically public yet most of the users are vulnerable and cannot obtain a patch," he added.