They discover a zero-day vulnerability that affects the most recent versions of Chromium-powered browsers

Microsoft and Google collaborate hand-in-hand on the development of Chromium. A job that has its advantages, as we saw the other day when talking about the solution to the bug that affected YouTube in Windows 10, but also the occasional problem. This is the case of a zero-day threat that affects both browsers

A risk that can affect both Edge and Chrome and is actually functional in the latest versions of both browsers. A threat discovered by a security researcher that can allow remote code execution and thereby launch any application or program without user activation.

For Chromium-based browsers

Researcher Rajvardhan Agarwal @r4j0x00 on Twitter has discovered and fixed a vulnerability in Edge and Chrome that may facilitate remote code execution. A bug that is functional in the current version of Google Chrome and Microsoft Edge

This is a remote code execution vulnerability for the V8 JavaScript engine in Chromium-based browsers which, although is fixed in the latest version of the V8 JavaScript engine , has not yet been implemented in both browsers.

The bug works when an HTML PoC and the corresponding JavaScript file are loaded in a Chromium-based browser. The researcher has used the vulnerability to start the Windows calculator program, but may make it easier to load any program

The positive part is that this bug is difficult to execute, as it is limited to Chromium's sandbox mode which isolates the process from the rest so an attacker cannot access the rest of the applications and functions of the system. To make it possible, it is necessary to use the flags command and the command –no-sandbox to disable sandbox mode.

It is to be hoped that the new updates of both browsers already have the new version, already corrected, of the rendering engine Chromium JavaScript V8, with Chrome 90 being released tomorrow, whichever fixes it first.

Via | Bleeping Computer