Security researchers have discovered five Google Chrome browser exploits that could lead to remotely executed code attacks. Interestingly, all five of the vulnerabilities have been patched. However, the so-called Magellan 2.0 flaws remain a threat to unpatched Chrome builds.
Disclosed by researchers at Tencent Blade, the Magellan 2.0 vulnerabilities are found in the SQLite database management system. This is a self-contained database that is common in web browsers and operating systems.
According to the research team, if exploited the vulnerabilities would allow bad actors to attack Chrome remotely through a HTML page loaded with malicious content.
Researchers have disclosed five recently-patched vulnerabilities in the Google Chrome browser that could be exploited by an attacker to remotely execute code. The vulnerabilities are listed as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.
No need to worry: SQLite and Google have already confirmed and fixed it and we are helping other vendors through it too. We haven't found any proof of wild abuse of Magellan 2.0 and will not disclose any details now. Feel free to contact us if you had any technical questions! https://t.co/3hUro9URWf
— Tencent Blade Team (@tencent_blade) December 24, 2019
Tencent Blade says an exploit would allow attackers to “obtain potentially sensitive information from process memory.”
“Magellan means a group of vulnerabilities we have reported recently,” said Tencent researchers in an advisory this week. “If you are using a software that is using SQLite as component (without the latest patch), and it supports external SQL queries… Or, you are using Chrome that is prior to 79.0.3945.79 and it enabled WebSQL, you may be affected.”
The researchers say they will not disclose any more information while they adhere to standard vulnerability disclosure processes. This means no more details will emerge until “90 days after the vulnerability report”.
Due to “responsible vulnerability disclosure process,” researchers said they are not disclosing further details of the vulnerability “90 days after the vulnerability report.”
“We have reported all the details of the vulnerability to Google and they have fixed vulnerabilities,” said researchers. “If your product uses Chromium, please update to the official stable version 79.0.3945.79. If your product uses SQLite, please update to the newest code commit.”