The year 2019 is coming to an end and over the past year we've witnessed hundreds of cybersecurity issues, software bugs, data breaches among others. Now, as we are just six days shy of stepping into 2020, another major security issue seems to have cropped up out of nowhere and this one has affected Google Chrome Internet browser.
A new set of SQLite vulnerabilities which allow attackers to remotely run malicious code inside of the world's most popular Internet browser has just been discovered.
Set of five vulnerabilities
The vulnerabilities named Magellan 2.0 are a set of five vulnerabilities in total, and we're discovered by security researchers at the Tencent Blade Team. Magellan 2.0 is related to how Chrome uses the SQLite database management system to deal with data.
The researchers warn that all apps that use an SQLite database are vulnerable to Magellan 2.0. However, the danger of 'remote exploitation' in the other apps is lower than the one in Chrome. Chrome uses a feature called the WebSQL API which, by default, exposes Chrome users to the remote attacks.
All five vulnerabilities are related to how data input is validated by Chrome's built-in SQL database, especially the way its WebSQL API changes the JavaScript code into SQL commands.
What is Magellan 2.0?
The Magellan 2.0 vulnerabilities come just a year after the same Tencent Blade security team discovered a similar set of SQLite vulnerabilities within the Chrome browser called Magellan. The newly disclosed vulnerabilities are quite similar to the original Magellan vulnerabilities in that the new variants are caused by improper input validation in SQL commands the SQLite database received from third-parties.
This allows an attacker to craft an SQL operation contains malicious code. When the SQLite database engine tried to read this SQLite operation containing the malicious code, it can perform the command on behalf of the attacker.
Vulnerabilities could crash Chrome or worse
The security researchers claim that any of the five vulnerabilities could have resulted in the Chrome browser crashing. But the worst case scenario is the vulnerabilities could have allowed attackers to set up a remote SQL operation to hijack some or all parts of the browser functions.
Tencent Blade reassurance
Meanwhile, the Tencent Blade Team has announced that they haven't detected any exploitation of the reported vulnerabilities with the general internet users. The team reassures that users needn't panic as they have already informed Google about the vulnerabilities, and that these have been patched in the latest version 79.0.3945.79 of Google Chrome.
So, if you use Google Chrome on your PC, or Mac, please update it right now.