RCE Vulnerability shambles Google Chrome Dev Channel
June 2nd, 2022 - Written By CyberLabs
It has been reported that a recently patched severe remote code execution vulnerability flaw in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The problem occurs to a case of use-after-free in the instruction optimization component, successful exploitation of which could “allow an attacker to execute arbitrary code in the context of the browser.” The issue was identified in the Dev channel version of Chrome 101, and was reported to Google by Weibo Wang, a security researcher at Singapore cybersecurity company Numen Cyber Technology and has since been quietly fixed by the company.
“This vulnerability occurs in the instruction selection stage, where the incorrect instruction has been chosen and resulting in memory access exception,” Wang said. Use-after-free flaws occur when previous-freed memory is attained, inducing undefined behavior and causing a program to crash, use corrupted data, or even achieve execution of arbitrary code. What is more concerning is that the issue can be exploited remotely via a specially designed website to bypass security restrictions and run arbitrary code to compromise the targeted systems.
“This vulnerability can be further exploited using heap spraying techniques, and then leads to ‘type confusion’ vulnerability,” Wang explained. “The vulnerability allows an attacker to control the function pointers or write code into arbitrary locations in memory, and ultimately lead to code execution.” Furthermore this is not the 1st time such use-after-free vulnerabilities have been detected in Chrome, many have been found before and have been exploited in real-world attacks.
Source
https://thehackernews.com/2022/05/experts-detail-new-rce-vulnerability.html
