The National Information Security Vulnerability Sharing Platform (CNVD) included the Google Chrome remote code execution vulnerability (CNVD-2021-27989).
Heihe attackers can use this vulnerability to remotely execute code without authorization. At present, the details of the vulnerability have been made public, and the manufacturer has not released a new version to fix the vulnerability.
Join us on Telegram
- Vulnerability analysis
Google Chrome is a web browser developed by Google. The browser is based on open-source software such as WebKit and Mozilla. The goal is to improve stability, speed, and security, and create a simple and effective user interface.
On April 14, 2021, the National Information Security Vulnerability Sharing Platform (CNVD) included Google Chrome’s remote code execution vulnerabilities. Unauthenticated attackers can exploit this vulnerability by carefully constructing malicious pages to induce the victim to visit and realize remote code execution attacks on the browser.
However, the attacker alone cannot achieve sandbox escape by exploiting this vulnerability. The sandbox is the security boundary of the Google Chrome browser to prevent malicious code from damaging the user system or other pages of the browser. The Google Chrome browser turns on the sandbox protection mode by default.
CNVD has a comprehensive rating of “high risk” for this vulnerability.
- The scope of the vulnerability
The product versions affected by the vulnerability include:
Google Chrome <= 89.0.4389.114.
- Vulnerability disposal suggestions
At present, Google has not released a new version or patch package to fix vulnerabilities. CNVD recommends that users not turn off the default sandbox mode when using the Google Chrome browser, and at the same time be cautious when accessing web links or files from unknown sources.
