Google addressed a new set of vulnerabilities, dubbed Magellan 2.0, that could be exploited for remote code execution inside the Chrome browser.
Google has fixed five SQLite vulnerabilities, dubbed Magellan 2.0, that could be exploited by an attacker to remotely execute malicious code inside the Chrome browser.
The vulnerabilities were discovered by researchers from the Tencent Blade security team.
Exactly one year ago, the same team of experts disclosed a critical vulnerability in SQLite database software that exposed billions of vulnerable apps to hackers.
The vulnerability tracked as ‘
SQLite is used by millions of applications with billions of installs, Magellan potentially affects IoT devices, macOS and Windows apps.
The Magellan vulnerabilities are caused by improper input validation in SQL commands sent to the SQLite database from a
An attacker can use specially crafted SQL operations containing malicious code, when the SQLite database engine will read them SQLite operation, it will perform commands on behalf of the attacker.
“Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: Magellan 1.0
The flaws, tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753, could cause remote code execution, or could leak program memory or cause program crashes.
Google Chrome uses an internal SQLite database to store various browser settings and user data.
Google addressed the five Magellan 2.0 vulnerabilities with the release of Google Chrome 79.0.3945.79.
The good news is that Tencent was not aware of any public exploit code for Magellan 2.0 or attacks in the wild exploiting the flaws. At the time of disclosing the flaws, the experts did not release details about them.
- 16 Nov 2019 Reported to Google and SQLite.
- 16 Nov 2019 Vulnerabilities confirmed by Google.
- 27 Nov 2019 Google and SQLite fixed vulnerabilities.
- 27 Nov 2019 Tencent Blade Team provided a fuzzer to Google.
- 11 Dec 2019 Google released the official Chrome version 79.0.3945.79.
- 11 Dec 2019 CVE ID has been assigned as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753.