Researcher publishes Google Chrome exploit

Vulnerability patched in Chrome's V8 JavaScript engine, but the fix has not yet reached the Chrome stable branch.

A security researcher has published today proof-of-concept code for an unpatched Google Chrome vulnerability.

The security flaw has been fixed in V8, Chrome's JavaScript engine, but the fix has not yet reached the browser's stable version --v73-- the one used by an estimated over one billion users.

Chrome's patch delay problem

The exploit code was put together by István Kurucsai, a security researcher for Exodus Intelligence, and released today on GitHub, along with a demo video (see above).

The reason why the researcher published this proof-of-concept exploit code was to highlight a glaring hole in Google's patching process, which allows for a small interval of time during which attackers can develop Chrome exploits and launch attacks on users.

This gap comes from Chrome's IT supply chain, which involves importing and testing code from different open source projects.

In this case, Google engineers fixed a V8 security issue on March 18, which it later become public in the V8 project's changelog and source code, but had yet to reach the Chrome Stable release.

This patch is currently traveling the Chrome assembly line, which involves being integrated into the Chromium open-source browser project, and then integrated into the Chrome codebase, and then tested in Chrome Canary and Chrome Beta releases before reaching the final Stable branch in the form of a patch.

"As a result of its open-source development model, while security fixes are immediately visible in the source tree, they need time to be tested in the non-stable release channels of Chrome before they can be pushed out via the auto-update mechanism as part of a stable release to most of the user-base," Kurucsai said today in a report he published on the Exodus Intelligence website.

"In effect, there's a window of opportunity for attackers ranging from a couple days to weeks in which the vulnerability details are practically public yet most of the users are vulnerable and cannot obtain a patch," he added.

PoC code is not complete

To be clear, the exploit that Kurucsai released today is a remote code execution bug that would let an attacker run code on a user's system. However, the exploit is somewhat harmless in its current form, as it lacks a sandbox escape vulnerability to be a complete exploit chain, and be able to run code on the underlying operating system.

Nonetheless, attackers can use older Chrome sandbox escape flaws together with the Kurucsai's current RCE bug to attack users running unpatched Chrome browsers (vulnerable to older sandbox escapes bugs).

Use cases for this code would be as part of malvertising campaigns or watering hole attacks.

More browser coverage: