Activity Feed

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

Reported as exploited in the wild at https://threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/ and at https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html.

Details are still scant on this vulnerability as they are being withheld by Google until more people have patched the issue, which was fixed in Chrome 89.0.4389.72. All that we know is that the bug is labeled as an Object lifecycle issue in audio and was found by Alison Huffman, Microsoft Browser Vulnerability Research on 2021-02-11.

Given the description of this vulnerability as well as its link to a similar vulnerability exploited in the wild in the past (see https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/), its likely that this is a UAF vulnerability. Given the one used in https://threatpost.com/google-discloses-chrome-flaw-exploited-in-the-wild/149784/ was a bug in the same component which was then used in the WizardOpium attacks, its likely that this vulnerability will lead to full compromise of the system given past history.

Users are encouraged to disable JavaScript where possible, particularly for untrusted sites, as this is often needed in order to successfully exploit UAF vulnerabilities in the browser. However this is only a temporary fix, and it is strongly encouraged that users instead upgrade to Chrome 89.0.4389.72 or later, Given there is already active exploitation of this vulnerability, and given the history of bugs within this component, there is a good possibility that we may see more widespread exploitation of this issue in the near future.

2
Ratings
Technical Analysis

https://talosintelligence.com/vulnerability_reports/TALOS-2018-0624

This bug is trivial to exploit but time consuming to gain useful advantage. Each execution of rmsock leaks 64 bits of kernel memory. Some work on grooming the kernel address space could make this more effective but I didn’t pursue it.

2
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very High
Technical Analysis

Unlikely to be setUID, unlikely that you will have write control over the vulnerable part of the RPATH at the point another user runs it. More theoretical than actual.