Vulnerability broker Beyond Security has released details about and Proof of Concept code for a remote code execution bug affecting Google Chrome.
“The [type confusion] vulnerability results from incorrect optimization by the turbofan compiler, which causes confusion between access to an object array and a value array, and therefore allows to access objects as if they were values by reading them as if they were values (thus receiving their in memory address) or vice-versa to write values into an object array and thus being able to fake objects completely,” the company explained.
The bug was reported to them by an independent security researcher, and the information later conveyed to Google.
The bug was found in version 59 of the browser, and it possibly affects earlier versions, but apparently stopped working in Chrome 60 and, according to Beyond Security, Google has no plan to address it.
A detailed technical overview of how the bug occurs is provided in this advisory, as well as minimal and full PoC, and a patch, which is as simple as adding a check before a specific call.
Google Chrome users who haven’t yet upgraded to version 60 would do well to do so as soon as possible, now that the information is out.