Chrome and Edge browsers both at risk — how to protect yourself now [Update]

Google Chrome
(Image credit: Shutterstock)

Updated with Google releasing a fix for this flaw.

Heads up: There's another serious security flaw in Google Chrome, Microsoft Edge and similar web browsers, with no fix available yet. 

The flaw was revealed on Twitter yesterday (April 12) by security researcher Rajvardhan Agarwal, who posted an image of a locally housed web page "popping a calculator," i.e. demonstrating remote control of a PC by launching the calculator app. 

Agarwal linked to a GitHub page from which you can download a proof-of-concept exploit — a benign hack — that you can try at home. Bleeping Computer replicated the flaw, as seen in the video below, although it didn't work for us for some reason.

In his initial tweet, Agarwal called the vulnerability a "zero-day" flaw, but that's not strictly correct as it's actually the same flaw that two other researchers used to hack into Chrome at the Pwn2Own hacking contest last week. 

The flaw lies in the V8 JavaScript engine used by Chrome, Edge, Opera, Brave, Vivaldi and several other browsers, all of which are based on the Chromium open-source browser maintained by Google and all of which are vulnerable to this exploit. Agarwal used recent changes to the public V8 code to reverse-engineer the Pwn2Own exploit.

If you use one of these browsers, don't fret just yet. The exploit won't work on its own because Chromium-based browsers are "sandboxed" so that (most) exploits affecting them won't "escape" onto the full Windows, macOS or Linux system on which the browser is running. 

Mobile versions of these browsers are also sandboxed, but there's no evidence that this affects them too.

Non-Chromium browsers such as Mozilla Firefox or Apple Safari are not affected by this flaw. 

How to avoid this nasty hack

To get Agarwal's exploit to work, the browser sandbox has to be disabled. You can do that in Windows by typing the Chrome application filepath in a command-line window with the suffix "--no-sandbox". A new Chrome window will open with no sandbox protections.

Unfortunately, malware can disable the sandbox, too. An attacker could use another method to infect your PC, Mac or Linux box, and then the running malware could use Agarwal's exploit to disable sandbox and take over your machine.

So make sure you're using one of the best Windows 10 antivirus programs or best Mac antivirus programs to prevent infection.

There's no official timetable for when the fix for this flaw will be pushed out to Chrome, Edge and related browsers, but odds are it will be within the next few days. [See below.] Google has pushed out several other emergency updates to Chrome and Chromium in the past few months.

Update: Google patches the flaw

After this story was posted April 13, Google quietly pushed out an update that fixed the V8 flaw and another flaw related to the Blink browser rendering engine. The updated versions of Chrome and Chromium are both 89.0.4389.128.

Brave and Edge both appear to also have released updates based on the latest version of Chromium, Brave's version number matching Chromium's and Edge going to 89.0.774.76. As of this writing, Opera (75.0.3969.171) and Vivaldi (3.7.2218.52) were both using versions based on previous versions of Chromium. 

To update Chrome, Edge or Brave, click the settings icon on the top right of the browser window and scroll down looking for something marked "About" at or near the bottom of the menu. "About" may also be hiding in a "Help" fly-out menu.

In Opera and Vivaldi, start by clicking the browser icon at the top left of the window, then scroll down to "Help" and click "About" in the fly-out menu.

When you select "About," a new tab will open that will either tell you that your browser is up-to-date or that you need to relaunch the browser to finish installing the update.

Linux users will generally have to run that day's update package from their distribution to get the latest version of their browser of choice.

'Insufficient validation'

The V8 flaw found by the Pwn2Own competitors was categorized by Google as due to "insufficient validation of untrusted input in V8 for x86_64." 

This hints that you can trip up V8 by feeding it JavaScript that it can't handle. The instruction-set specification "x86-64" — in other words, 64-bit Intel/AMD chipsets — implies that the flaw may not affect 32-bit versions of Chromium browsers or other chipsets, but we really don't know.

The Blink flaw, credited to "Anonymous," was characterized simply as a "use after free in Blink." That means that it's possible to "reuse" memory freed up by Blink to attack Chromium.

Whoever "Anonymous" is, they'll get an unspecified amount of bug-bounty money from Google. 

Sadly (or not) for Bruno Keith and Niklas Baumstark, the finders of the V8 flaw, they're ineligible for a Google bug bounty because they're already splitting $100,000 in prize money from their Pwn2Own win.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.