Heads up: There’s another serious security flaw in Google Chrome, Microsoft Edge and similar web browsers, with no fix available yet.
The flaw was revealed on Twitter yesterday (April 12) by security researcher Rajvardhan Agarwal, who posted an image of a locally housed web page “popping a calculator,” i.e. demonstrating remote control of a PC by launching the calculator app.
Just here to drop a chrome 0day. Yes you read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLRApril 12, 2021
Agarwal linked to a GitHub page from which you can download a proof-of-concept exploit — a benign hack — that you can try at home. Bleeping Computer replicated the flaw, as seen in the video below, although it didn’t work for us for some reason.
In his initial tweet, Agarwal called the vulnerability a “zero-day” flaw, but that’s not strictly correct as it’s actually the same flaw that two other researchers used to hack into Chrome at the Pwn2Own hacking contest last week.
If you use one of these browsers, don’t fret just yet. The exploit won’t work on its own because Chromium-based browsers are “sandboxed” so that (most) exploits affecting them won’t “escape” onto the full Windows, macOS or Linux system on which the browser is running.
Mobile versions of these browsers are also sandboxed, but there’s no evidence that this affects them too.
Non-Chromium browsers such as Mozilla Firefox or Apple Safari are not affected by this flaw.
How to avoid this nasty hack
To get Agarwal’s exploit to work, the browser sandbox has to be disabled. You can do that in Windows by typing the Chrome application filepath in a command-line window with the suffix “–no-sandbox”. A new Chrome window will open with no sandbox protections.
Unfortunately, malware can disable the sandbox, too. An attacker could use another method to infect your PC, Mac or Linux box, and then the running malware could use Agarwal’s exploit to disable sandbox and take over your machine.
So make sure you’re using one of the best Windows 10 antivirus programs or best Mac antivirus programs to prevent infection.
There’s no official timetable for when the fix for this flaw will be pushed out to Chrome, Edge and related browsers, but odds are it will be within the next few days. Google has pushed out several other emergency updates to Chrome and Chromium in the past few months.