|
RCE Vulnerability Affecting Older Versions of Chrome Will Remain Unpatched |
|
A remote code execution vulnerability affects older versions of the Google Chrome browser, all except the current version — Chrome 60. To sum it up, the vulnerability is found in Google Chrome's Turbofan component, used to optimize JavaScript code. |
In a response to the company's bug report, Google told Beyond Security engineers they do not plan to address the vulnerability because it does not work in the most recent version, the only one Google's security team is interested in servicing. |
Exploiting the flaw requires luring a user to an attacker-controlled website and serving a piece of malicious JavaScript code. The flaw allows the attacker to execute code in the user's browser. While the vulnerability disclosure does not mention a sandbox escape to allow the attacker to execute code on the PC level, the flaw allows attackers to steal data accessible through the browser (cookies, passwords, etc.). |
Google Chrome, overall, has a browser market share of around 59%. According to Web analytics firm Clicky, Chrome 60 accounts to 50% of those installations. This leaves nearly one in ten web users exposed to this flaw. Upgrading to the latest Chrome 60 version will mitigate this flaw. |
|
|