Google Chrome, the search giant’s favorite Internet browser, is affected by vulnerabilities. Google patches fresh Magellan 2.0 SQLite vulnerabilities in chrome. Google Chrome, the world’s most popular web browser, is impacted by new Magellan 2.0 vulnerabilities. The latest version of Google Chrome for desktop has patched the recently reported Magellan 2.0 vulnerabilities, but users on an older version of the browser are still vulnerable. Magellan 2.0 is a set of five vulnerabilities. A new set of SQLite vulnerabilities affecting Chrome versions prior to 79.03945.79 has been uncovered by security researchers. It is dubbed as Magellan 2.0 and is a collection of five vulnerabilities. Exactly, One year and one week after the disclosure of the Magellan series of vulnerabilities in 2018, Magellan 2.0 is disclosed, bringing five new vulnerabilities with it. The Tencent Blade safety team emphasized the vulnerabilities in December a year ago which were patched directly now.
What is the impact?
Discovered by the Tencent Blade security team, the newly discovered Magellan 2.0 vulnerabilities are caused by improper input validation in SQL commands the SQLite database receives from a third-party.
By abusing Magellan 2.0, an attacker can launch remote code execution, leak program memory or cause a program to crash. These vulnerabilities can allow the attacker’s to remotely run malicious code inside Google Chrome. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of “remote exploitation” is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks, by default. An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker.
All apps that use an SQLite database to store data are vulnerable, although, the vector for “remote attacks over the internet” is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow. The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch — which remains v3.30.1, released on December 10. All applications implementing SQLite as a component and supporting SQL are affected if the latest patches are not applied. The Tencent Blade Team also noted that these vulnerabilities affect smart devices using an older version of Chrome/Chromium, browsers built using an older version of Chrome/Webview, Android apps using older versions of Webview and software that uses older versions of Chromium. The Tencent Blade Team states that they are working with vendors to address the issue and notes that, at present, there is no evidence of abuse in the wild. Chromium users with versions prior to v79.0.3945.79 are also vulnerable.
What are the vulnerabilities?
The vulnerabilities that make up the Magellan 2.0 are tracked as CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, and CVE-2019-13753.
- Five new SQLite-based vulnerabilities have impacted Google Chrome. Google patched them in the latest version of ChromeOther apps that use SQLite are also affected
Last year around Christmas, Google Chrome was impacted by SQL vulnerabilities known as the Magellan SQLite vulnerabilities. The Tencent Blade security team highlighted the vulnerabilities in December last year that was patched right on time. This year, the same security team has disclosed fresh Magellan 2.0 vulnerabilities that impact Chrome, the search giant’s popular Web browser. But there’s very little you need to worry about unless you’re running a really old version of Google Chrome. Magellan 2.0 vulnerabilities have been patched by Google in the Chrome 79.0.3945.79 version. The new SQLite vulnerabilities can let a hacker run malicious code remotely on Google Chrome. Magellan 2.0 consists of five vulnerabilities in total, according to the Tencent Blade security team.SQLite is popularly used across most operating systems and software products. The Tencent Blade security team claims both SQLite and Google have confirmed the vulnerabilities and fixed them. The security team claims it will disclose more details once other vendors fix the vulnerabilities.
A malicious user can use these vulnerabilities to perform an SQL operation with a specific code. On successfully executing the SQLite operation, the attacker can remotely execute code, leak program memory, and eventually end up causing program crashes. Earlier last month, Google had patched a zero-day vulnerability in Chrome. The exploit was reportedly leveraged to execute waterhole-style injection attacks. The vulnerability exploited Chrome 65 and later version.
Apps using SQLite database without the 13 December 2019 patch and Google Chrome prior to 7.0.3945.79 are affected by these vulnerabilities. The Tencent Blade security team claims it hasn’t spotted any attacks in the wild yet and users don’t really have to worry about anything right now.
How to resolve the issue?
The five Magellan 2.0 vulnerabilities have been fixed in Google Chrome 79.0.3945.79. The SQLite project has also fixed the bugs in a series of patches on December 13, 2019. However, these fixes have not been included in a stable SQLite version v3.30.1, released on December 10.
The Chinese security company will release more details about the Magellan 2.0 vulnerabilities in the coming months. As of now, developers should update their apps with the latest SQLite version and Chrome users should also update their browser. Tenable strongly advises organizations and individuals to upgrade to patched versions as soon as possible. On December 10, 2018, Google released 79.0.3945.79 ( Stable Channel Update for Desktop) for Chromium users. SQLite addressed the bugs on December 13, 2019, but has yet to release patches in a stable branch. We advise committing to this branch as soon as it is available. The Chinese protection business will release additional information regarding the Magellan 2.0 vulnerabilities from the forthcoming months. For now, users must follow the above guidelines.