A second Chromium zero-day remote code execution exploit has been released on Twitter this week which affects current versions of Google Chrome, Microsoft Edge, and other Chromium-based browsers.
A zero-day vulnerability is when detailed information about a vulnerability or an exploit is released before the affected software developers can fix it. Zero-days are a risk to users as they allow threat actors to use them before a fix is released.
A security researcher by known as frust posted a PoC exploit on Twitter for a zero-day bug affecting Chromium-based browser that causes the Windows Notepad application to open.
This new vulnerability comes a day after Google released Chrome 89.0.4389.128 to fix a different Chromium zero-day vulnerability that was released on Monday.
Like the recent zero-day vulnerability, frust’s remote code execution vulnerability is not capable of escaping Chromium’s sandbox security feature. Chromium’s sandbox prevents exploits from executing code or accessing files on host computers.
As long as a threat actor does not chain the new zero-day with an unpatched sandbox escape vulnerability, the new zero-day in its current state cannot harm users unless they disable the sandbox.
Frust also released a video demonstrating the vulnerability being exploited to prove that their PoC exploit works.
When the sandbox is disabled, the exploit could launch Notepad on Google Chrome 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the latest versions of both browsers.
Google was scheduled to release Chrome 90 for Desktop on April 13th, but instead released the new version of Chrome to fix the zero-day released on Monday.