Google refuses to patch RCE vulnerability in older versions of Chrome browser

Urgent Chrome Update

A security researcher who wished to remain anonymous reported of a serious RCE (remote code execution) vulnerability found in all versions of Chrome browser, except the latest version (Chrome 60). The expert reported of this problem through the Beyond Security SecuriTeam Secure Disclosure program.

Meanwhile, Google engineers have informed Beyond Security project that they do not intend to resolve the reported RCE vulnerability, because it does not affect the latest version of Chrome browser. Being surprised by such a negative response, Beyond Security experts have published PoC code which can be used to exploit the vulnerability.

The problem affects V8 Turbofan component designed for JavaScript code optimization. An attacker must lure a victim to a website containing malicious JavaScript code to perform the infiltration. By exploiting the RCE vulnerability, the attacker is able to execute malicious code in the victim’s browser. The vulnerability report does not mention any sandbox bypass for executing malicious code at PC level. However, by exploiting this vulnerability hackers can steal personal data accessible through the browser (cookies, passwords, etc.).


Please enter your comment!
Please enter your name here