This has been updated as Google has released a fix for this flaw.

Beware: Google Chrome, Microsoft Edge, and similar web browsers also have a serious security flaw for which no fix is yet available. [The flaw was revealed yesterday (April 12) by security researcher Rajvardhan Agarwal on Twitter, where he posted an image showing that a locally stored web page "pops a calculator," or remotely controls a PC by launching a calculator app. He posted.

Agarwal linked to a GitHub page from which a proof-of-concept exploit (a benign hack) can be downloaded; Bleeping Computer reproduced the flaw as seen in the video below.

In his first tweet, Agarwal called the vulnerability a "zero-day" flaw, which is actually not strictly accurate, as it is the same flaw that two other researchers used to hack Chrome in last week's Pwn2Own hacking contest.

The flaw is in the V8 JavaScript engine used in Chrome, Edge, Opera, Brave, Vivaldi, and several other browsers; Agarwal used a recent change in the publicly available V8 code to hack the Pwn2Own exploit was reverse-engineered.

If you are using one of these browsers, don't worry yet. This is because Chromium-based browsers are "sandboxed," meaning that the exploits affecting the browser will not "escape" throughout the Windows, macOS, and Linux systems on which the browser is running.

Mobile versions of these browsers are also sandboxed, but there is no evidence that this affects them as well.

Non-chrome browsers such as Mozilla Firefox and Apple Safari are not affected by this flaw.

In order for Agarwal's exploit to work, the browser's sandbox must be disabled; on Windows, this can be done by typing the file path of the Chrome application into a command line window and adding the suffix "--no-sandbox". to execute the command. A new Chrome window will open without sandbox protection.

Unfortunately, malware can also disable the sandbox. Attackers could infect PCs, Macs, and Linux in other ways, and the running malware could use the Agarwal exploit to disable the sandbox and take over the machine.

Therefore, make sure you are using the best Windows 10 antivirus program or the best Mac antivirus program to prevent infection.

There is no official timetable for when a fix for this flaw will be pushed to Chrome, Edge, and related browsers, but it will likely happen within a few days. [Google has provided several other emergency updates to Chrome and Chromium in recent months.

Since April 13, when this article was posted, Google has quietly distributed an update that fixes a flaw in V8 and another flaw related to the browser's Blink rendering engine. The updated Chrome and Chromium versions are both 89.0.4389.128.

Brave and Edge also appear to have released updates based on the latest version of Chromium, with Brave's version number matching Chromium's and Edge's being 89.0.774.76. As of this writing, Opera (75.0.3969.171) and Vivaldi (3.7.2218.52) both use versions based on earlier versions of Chromium.

To update Chrome, Edge, or Brave, click on the Settings icon in the upper right corner of the browser window, scroll down and look for something marked "About" at or near the bottom of the menu. Sometimes "About" is hidden in the "Help" menu.

In Opera and Vivaldi, first click on the browser icon in the upper left corner of the window, scroll down to "Help," and click "About" in the fly-out menu.

Select "About" and a new tab will open, indicating that the browser is up-to-date or that the browser must be restarted to complete the installation of updates.

Linux users usually need to run the update package of the day from their distribution to get the latest version of their browser.

The V8 flaw discovered by the Pwn2Own conflict was classified by Google as due to "insufficient validation of unreliable input in the x86_64 version of V8."

This suggests that V8 can be tripped up by inputting JavaScript that V8 cannot handle. Given that the instruction set specification is "x86-64," i.e., 64-bit Intel/AMD chipsets, it is possible that this flaw does not affect the 32-bit version of the Chromium browser or other chipsets, but it is not really known.

The Blink flaw, which is credited to "Anonymous," is characterized simply as "Blink use after free." That is, it is possible to "reuse" memory freed by Blink in order to attack Chromium.

Whoever "Anonymous" is, they will get an unspecified bug bounty from Google.

Sadly for Bruno Keith and Niklas Baumstark, the discoverers of the V8 flaw (or maybe not), they have already split the $100,000 Pwn2Own winnings, so they are not eligible for Google's bug bounty Not eligible.