Second Google Chrome zero-day exploit dropped on twitter this week

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,505
A second Chromium zero-day remote code execution exploit has been released on Twitter this week that affects current versions of Google Chrome, Microsoft Edge, and likely other Chromium-based browsers.

A zero-day vulnerability is when detailed information about a vulnerability or an exploit is released before the affected software developers can fix it. These vulnerabilities pose a significant risk to users as they allow threat actors to begin using them before a fix is released.

Today, a security researcher known as frust dropped a PoC exploit on Twitter for a zero-day bug Chromium-based browser that causes the Windows Notepad application to open.
another chrome 0dayavboy1337/1195777-chrome0day
Just here to drop a chrome 0day. Yes you read that right.
— frust (@frust93717815) April 14, 2021https://twitter.com/frust93717815/status/1382301769577861123?ref_src=twsrc^tfw
This new zero-day vulnerability comes a day after Google released Chrome 89.0.4389.128 to fix a different Chromium zero-day vulnerability publicly released on Monday.

Like Monday's zero-day vulnerability, frust's remote code execution vulnerability is not capable of escaping Chromium's sandbox security feature. Chromium's sandbox is a security feature that prevents exploits from executing code or accessing files on host computers.

Unless a threat actor chains the new zero-day with an unpatched sandbox escape vulnerability, the new zero-day in its current state cannot harm users unless they disable the sandbox.
Google was scheduled to release Chrome 90 for Desktop yesterday, April 13th, but instead released the new version of Chrome to fix the zero-day released on Monday.

It is not known if this additional zero-day with further prevent Chrome 90 from being released as Google plays catchup with security researchers.
 
Last edited:

JB007

Level 26
Verified
Top Poster
Well-known
May 19, 2016
1,574
Just got Chrome 90...
1.PNG
 

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,003
Again, sand. box has to be disabled by the user first which is a core security feature. Unless Chrome allows sites to disable the sandbox, I'm not seeing that Chrome is vulneable but I'm not up properly on chromium tech.
 

wat0114

Level 11
Verified
Top Poster
Well-known
Apr 5, 2021
547
This vulnerability is believed to be the same one used by Dataflow Security's Bruno Keith and Niklas Baumstark at Pwn2Own 2021, where the researchers exploited Google Chrome and Microsoft Edge.

https://www.bleepingcomputer.com/news/security/google-chrome-microsoft-edge-zero-day-vulnerability-shared-on-twitter/

So I guess the Pwn2Own exploit is also contained by Chrome's sandbox?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top