Not long after Google patched a publicly divulged zero-day vulnerability in Google Chrome, another one has appeared on the Google web browser.

Apparently, the new zero-day vulnerability impacts the current versions of Google Chrome and possibly other browsers as well, like Microsoft Edge, that uses the Chromium framework.

What Is A Zero-Day Vulnerability?

The term “Zero-day” is an imaginative time, as this type of cyberattack happens in less than a day since the awareness of the security flaw. Thereby, not giving developers ample time to eradicate or mitigate the potential risks associated with this vulnerability.


The exploit was first noticed on Wednesday by a user on Twitter who goes by the name frust. The tweet also included a link to a GitHub page containing JavaScript for a proof-of-concept web page that will use the vulnerability.

As frust showed in a YouTube video, the web page will open Windows Notepad in Chrome or an associated browser. If it can do that, it can do anything the user does. Other Chromium-derived desktop browsers, such as Brave, Opera, and Vivaldi are also in danger.

The researcher stated that the exploit worked in Chrome version 89.0.4389.128, which was released on April 13.

According to a published report from Recorded Future, as with previous zero-day flaws, threat actors would still need to escape the Chrome browser “sandbox,” a security feature preventing browser-specific code from reaching the basic operating system, to complete full Remote Code Execution (RCE).

The newly-found exploit can’t harm users in its current state since it isn’t able to escape the Sandbox, but if it were to be combined with another attack, maybe through a separate malware infection able to disable the browser sandboxing, then victims would get infected.

According to BleepingComputer, the new zero-day vulnerability runs by launching the current versions of Google Chrome and Microsoft Edge using the –no-sandbox argument, which deactivates the sandbox security function. Once the sandbox is disabled, the flaw could launch Notepad on Google Chrome 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the newest versions of both browsers.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® DNS Security Solution

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your endpoints.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Google was planned to release Chrome 90 for Desktop on April 13th, but instead released the new version of Chrome to fix the zero-day vulnerability released on Monday.

Meantime, you need to know what to do to protect yourself and your devices from this new zero-day vulnerability. It’s true, it isn’t much you can do about it at this moment, but if you are worried you can use Firefox or Safari instead.

11 Zero-Day Flaws Exploited in 2020 Campaigns, Google Reports

Google Is Announcing Another Chrome Zero-Day Flaw

New Malvertising Campaign by the ScamClub Group Is Actively Exploiting Zero-Days

Patch Tuesday (January 2021): Microsoft patches 83 vulnerabilities, including a Zero-Day

Leave a Reply

Your email address will not be published. Required fields are marked *