Security researcher drops Chrome and Edge exploit on Twitter

An Indian security researcher has published today proof-of-concept exploit code for a recently discovered vulnerability impacting Google Chrome, Microsoft Edge, and other Chromium-based browsers like Opera and Brave.

The researcher, Rajvardhan Agarwal, told The Record today that the exploit code is for a Chromium bug that was used during the Pwn2Own hacking contest that took place last week.

During the contest, security researchers Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security used a vulnerability to run malicious code inside Chrome and Edge, for which they received $100,000. Per contest rules, details about this bug were handed over to the Chrome security team so the bug could be patched as soon as possible.

While details about the exact nature of the bug were never publicly disclosed, Agarwal told The Record he spotted the patches for this bug by looking at the source code commits to the V8 JavaScript engine, a component of the Chromium open-source browser project, which allowed him to recreate the Pwn2Own exploit, which he uploaded earlier today on GitHub, and shared on Twitter.

However, while Chromium developers have patched the V8 bug last week, the patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge, and others, which are still vulnerable to attacks.

Another instance of the "open-source patch gap"

In the world of software development, today's disclosure represents the perfect example of a software patch gap, a term used to describe the time from when a patch for a security flaw is applied in an open-source component and until the same patch makes its way downstream to a project that relies on that component.

Security researchers warned software makers for decades that threat actors could exploit security bugs during this gap to attack their users.

Ironically, the Google Chrome browser has often been used to exemplify the dangers of a long patch gap. For example, in April and September 2019, security researchers from Exodus Intelligence have published research describing how they scoured the V8 project's changelog to discover security patches and then created exploits for those bugs to attack Chrome users.

In February 2020, Google responded to this research by reducing the Chrome patch gap from 33 to 15 days, committing to releasing Chrome browser updates with security fixes every two weeks, a cycle that was later also adopted by Microsoft Edge.

Sandbox escape needed to attack browsers

But Agarwal's disclosure today shows that the patch gap is still large enough to pose problems to Chrome, Edge, and other Chromium browser users.

However, the security researcher was not irresponsible enough to release a fully weaponized exploit.

Agarwal's code allows an attacker to run malicious code on a user's operating system; however, his exploit still needs to escape the Chrome browser "sandbox," a security container that prevents browser-specific code from reaching the underlying OS.

Attackers who want to weaponize Agarwal code would need this first part of an exploit chain in order to use the V8 zero-day, which is usually the second part of the attack.

However, Agarwal told The Record that while attacking web browsers might require a sandbox escape, the exploit is dangerous when used to attack services that run embedded/headless versions of Chromium, where sandbox protections aren't usually enabled, since these require access to very large physical resources.

While a Google spokesperson did not return a request for comment from The Record, the browser maker is scheduled to release a new Chrome version —including security fixes— tomorrow. At the time of writing, it is, however, unclear if patches for Agarwal's V8 bug will be released tomorrow.

UPDATED on April 13 to add that Google has released a new Chrome version that fixes this vulnerability.

Article updated with Agarwal interview. Removed zero-day from headline and article text as this was not the case, per Agarwal's statements.