Comment from Tenable: Second zero-day in Google Chrome
For the second time in a week, a researcher has published a proof-of-concept (PoC) exploit for a zero-day vulnerability in Google Chrome. Earlier this week, a researcher published a PoC for a 1-day vulnerability in the V8 JavaScript engine used by Google Chrome and Microsoft Edge (Chromium). Please find below, a comment from Satnam Narang, Staff Research Engineer, Tenable.
“What makes both of these publicly disclosed vulnerabilities similar is that they are of limited value by themselves. In this case, it takes two to tango, which means they require a separate vulnerability to break out of the Chrome sandbox. Once again, this latest vulnerability is also mitigated by the fact that it is not paired with a flaw to escape the sandbox.
“Therefore, an attacker cannot compromise the underlying operating system or access confidential information without combining this vulnerability with a second vulnerability to escape the sandbox.
“Zero-days may garner most of the attention, but known yet unpatched vulnerabilities enable most breaches and have become favoured by advanced attackers. Yesterday, the National Security Agency (NSA) released a joint cybersecurity advisory with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), highlighting a series of known vulnerabilities allegedly used by Russian Foreign Intelligence Services.
“Despite the limited impact from the public disclosure of another Google Chrome vulnerability, we continue to encourage users and organisations alike to ensure they are patching their browsers like Chrome and Edge as soon as possible.”– Satnam Narang, Staff Research Engineer, Tenable
“Wicked Games” Become the National Champion of the ROG Master 2021
