KEY POINTS

  • A new zero-day vulnerability on Chrome and Edge was recently discovered
  • The new flaw also works on other Chrome-based browsers like Vivaldi, Opera and Brace
  • Google has not yet said anything related to the newly discovered Chrome zero-day vulnerability

A new zero-day remote code execution vulnerability that works on Google Chrome and Microsoft Edge was shared by a security researcher just a few days after Google patched another publicly disclosed zero-day exploit.

On April 14, Twitter users frust shared another Chrome zero-day vulnerability. The user also provided a link to a Github page, which contains JavaScript for a proof of concept (POC) web page that can exploit the flaw. Moreover, the user showed the web page launching Windows Notepad in Google Chrome or any affected browser via a YouTube video. 

The user claimed that if it can do that particular task, it can do about just anything. According to frust, this particular zero-day exploit worked on Chrome version 89.0.4389.128, which Google rolled out on April 13. Toms' Guide confirmed in a report that the said proof-of-concept (POC) hack indeed works in the latest version of Microsoft Edge. The report also revealed that the hack also works on Brace, Opera, Vivaldi and other Chromium-based desktop browsers.

Google Chrome Google Chrome for Windows now includes an antivirus feature that can detect and remove harmful software. Photo: Google

For the uninitiated, a zero-day vulnerability is a publicly disclosed kind of security bug that has been patched in the newly released version of the affected software. It is usually referred to as a zero-day flaw because developers only have zero days to work on a fix before exploits started popping up online. Interestingly, this particular zero-day exploit won't work with the sandboxing turned on. 

Sandboxing traps malicious processes in a browser, restricting them from escaping out into the surrounding operating system. Alone, the exploit may not do a lot, but when paired with another attack that could, for instance, disable sandboxing, then a website could run programs on the PC without the user's knowledge.

At the moment, Chrome and Edge users could not do anything about this particular zero-day vulnerability. For those who want to stay safe from any unforeseeable attacks they could, for the meantime, use Firefox or Safari. Google has not yet said anything related to this new Chrome zero-day vulnerability.

The search engine giant was able to fix the previous Google Chrome zero-day flaw in just six days. Users are looking forward that the team could fix this one in lesser time.