A security vulnerability in the massively popular SQLite database engine puts thousands of desktop and mobile applications at risk.
Discovered by Tencent's Blade security team, the vulnerability allows an attacker to run malicious code on the victim's computer, and in less dangerous situations, leak program memory or cause program crashes.
Because SQLite is embedded in thousands of apps, the vulnerability impacts a wide range of software, from IoT devices to desktop software, and from web browsers to Android and iOS apps.
The bad news, according to Tencent Blade researchers, is that this vulnerability can also be exploited remotely by accessing something as simple as a web page, if the underlying browser support SQLite and the Web SQL API that translates the exploit code into regular SQL syntax.
Firefox and Edge don't support this API, but the Chromium open-source browser engine does. This means that Chromium-based browsers like Google Chrome, Vivaldi, Opera, and Brave, are all affected. A demo that crashes a Chrome tab is available here.
But while web browsers pose the biggest attack surface, other apps are also affected. For example, Google Home is also vulnerable.
"We successfully exploited Google Home with this vulnerability," the Tencent Blade team said in a security advisory this week.
Tencent Blade researchers said they reported this issue to the SQLite team earlier this fall. A fix was shipped out on December 1, with the release of SQLite 3.26.0. The fix was also ported inside Chromium, and later in Google Chrome 71, released last week.
Chromium-based browsers like Vivaldi and Brave are running the latest version of Chromium, but Opera is still one Chromium release behind, meaning it's latest release is still affected.
While it does not support Web SQL, Firefox, too, is affected, since it comes with a locally accessible SQLite database, meaning a local attacker could abuse this vulnerability to execute code and more.
Eyal Itkin, a Check Point researcher, also pointed out that the vulnerability also requires an attacker having "the ability to issue arbitrary SQL commands so to corrupt the DB and trigger the vulnerability," which greatly reduces the number of vulnerable applications.
But even if the SQLite team shipped a fix, many apps are likely to remain vulnerable for years to come. Updating the underlying database engine to any desktop, mobile, or web app is a dangerous process, which sometimes can result in data corruption, and most programmers avoid it as long as possible.
App developers rarely update libraries and the component parts of their apps as it is, so the chances that this vulnerability will haunt the app ecosystem for years is pretty high.
Because of this reason, the Tencent Blade team said it would refrain for the time being from releasing any proof-of-concept exploit code. Nonetheless, other security researchers have already started combing the SQLite patch to reverse engineer it and see how the vulnerability works under the hood.
This SQLite vulnerability has not yet received a CVE identification number and Tencent researchers are using the "Magellan" codename to refer to it for now.