Chrome and Edge Hacked by New Zero—Day Flaws - What to Do

Chrome and Edge Hacked by New Zero—Day Flaws - What to Do

Shortly after Google patched the publicly disclosed Chrome zero-day vulnerability, another one appeared

"We just came to drop a zero-day in Chrome Yes, that's right," announced Twitter user "frust" earlier today (April 14) [The tweet included a link to a GitHub page containing JavaScript for a proof-of-concept web page that exploits the flaw

As frust showed in the YouTube video, the web page launches Windows Notepad in Chrome or related browsers Once that is done, anything the user can do can be done

Frust revealed that the exploit works in version 8904389128 of Chrome, which was released yesterday (April 13)

This new vulnerability is considered a "zero-day" flaw This is because software developers, in this case Google staff and volunteers working on the open source Chromium project, had a "zero-day" grace period to fix the exploit before it started circulating "out in the wild"

Tom's Guide could not be made to work in Chrome, but a fully patched version of Microsoft Edge can confirm that the proof-of-concept hack does indeed work

Other Chromium-derived desktop browsers, including Brave, Opera, and Vivaldi, are also at risk

This comes two days after another Twitter user posted another Chrome flaw, but dropped the "zero-day" label after it was revealed that he had figured out the hack that won last week's Pwn2Own contest

A version of Chrome released yesterday patches that flaw

As with the previous "zero-day," there is a catch to this issue: the targeted browser's sandbox must be turned off

Sandboxing prevents malicious processes in the browser from escaping to the surrounding operating system, and sandbox "escaping" is a desirable outcome in hacking

This exploit does not make such a glorious list However, when combined with another attack that can disable the browser's sandbox, perhaps through another malware infection, a malicious website could reach your PC and run a program without your knowledge

Also, since the Chrome/Chromium flaw is often "platform-independent," it is quite possible that this flaw could be exploited on Mac or Linux as well

So what can be done about this? At the moment, there isn't much you can do except use Firefox or Safari if you are really worried In the short term, the bad guys will not use this to attack Chrome or Edge

If the attack is successful, running either the best Windows 10 antivirus or the best Mac antivirus program will provide significant protection, as it will need to be combined with a second exploit

Google had six days to fix the previous Chrome zero-day flaw Let's hope Google's developers can fix this flaw a little faster

Categories