Unpatched Chrome, Opera, and Brave Browsers are vulnerable to a Remote Code Execution Exploit (RCE)

A proof-of-concept (PoC) exploit code for a newly discovered bug in Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave has been publicly released by an Indian security researcher.

The working exploit, which was released by Rajvardhan Agarwal, involves a remote code execution flaw in the V8 JavaScript rendering engine, which is used to power web browsers. It's thought to be the same vulnerability that Dataflow Security's Bruno Keith and Niklas Baumstark demonstrated last week at the Pwn2Own 2021 hacking competition.

For exploiting the vulnerability to run malicious code within Chrome and Edge, Keith and Baumstark were awarded $100,000.

The PoC HTML file, along with its related JavaScript file, can be loaded in a Chromium-based browser to exploit the security vulnerability and launch the Windows calculator (calc.exe) programme, according to Agarwal's screenshot. It's worth mentioning, though, that the hack must be combined with another bug in order to bypass Chrome's sandbox security.

Agarwal appears to have built the PoC by reverse-engineering the patch that Google's Chromium team pushed to the open-source portion after the bug was disclosed. Baumstark tweeted, "Being popped with our own bugs wasn't on my bingo card for 2021." "I'm not sure it was Google's best move to add the regression test too soon." Although Google has fixed the problem in the latest version of V8, it has yet to reach the stable channel, leaving browsers vulnerable to attacks. Chrome 90 is scheduled to be released later today, but it's unclear if it will provide a fix for the V8 bug.