An SQLite “Magellan” RCE vulnerability exposes billions of apps, including all Chromium-based browsers

The Tencent Blade security team found a vulnerability in the SQLite database that exposes billions of desktop and web applications to hackers. This vulnerability classified as a remote code execution (RCE) vulnerability hasn’t received a CVE identification number yet and has been nicknamed as “Magellan” by the Tencent Blade Team. Since SQLite is one of the most popular databases used in modern operating systems and applications, this vulnerability can affect a variety of different apps ( eg: Android/ iOS), devices (eg: IoT), and software.

Magellan poses dangers such as allowing hackers to run malicious code within the hacked computers, leaking program memory or causing program crashes. Moreover, this vulnerability can be remotely exploited on even accessing a particular web page in a browser that supports SQLite. Other than SQLite, all web browsers using the Chromium engine has also been affected by this vulnerability. Tencent Blade has already reported the vulnerability to Google developers who then promptly took care of it on their end.

Additionally, security experts at Tencent Blade also successfully exploited Google Home with this vulnerability, but haven’t disclosed the exploit code yet. The team also mentions how they’re yet to see a case where Magellan has been abused “wildly”. Tencent Blade recommends updating to the official stable version 71.0.3578.80 of Chromium and to 3.26.0 for SQLite as they’re safe from the vulnerability.

Google Chrome, Vivaldi, and Brave are all reported to be affected as they support SQLite through the Web SQL database API. Safari web browser isn’t affected yet and Firefox may be prone to this vulnerability in case a hacker gains access to its local SQLite database.

“We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible”, says the Tencent Blade team.

Read Next

Zimperium zLabs discloses a new critical vulnerability in multiple high-privileged Android services to Google

A kernel vulnerability in Apple devices gives access to remote code execution

Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details

*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Natasha Mathur. Read the original post at: