This has been updated as Google has released a fix for this flaw

Beware: Google Chrome, Microsoft Edge, and similar web browsers also have a serious security flaw for which no fix is yet available [The flaw was revealed yesterday (April 12) by security researcher Rajvardhan Agarwal on Twitter, where he posted an image showing that a locally stored web page "pops a calculator," or remotely controls a PC by launching a calculator app He posted

Agarwal linked to a GitHub page from which a proof-of-concept exploit (a benign hack) can be downloaded; Bleeping Computer reproduced the flaw as seen in the video below

In his first tweet, Agarwal called the vulnerability a "zero-day" flaw, which is actually not strictly accurate, as it is the same flaw that two other researchers used to hack Chrome in last week's Pwn2Own hacking contest

The flaw is in the V8 JavaScript engine used in Chrome, Edge, Opera, Brave, Vivaldi, and several other browsers; Agarwal used a recent change in the publicly available V8 code to hack the Pwn2Own exploit was reverse-engineered

If you are using one of these browsers, don't worry yet This is because Chromium-based browsers are "sandboxed," meaning that the exploits affecting the browser will not "escape" throughout the Windows, macOS, and Linux systems on which the browser is running

Mobile versions of these browsers are also sandboxed, but there is no evidence that this affects them as well

Non-chrome browsers such as Mozilla Firefox and Apple Safari are not affected by this flaw

In order for Agarwal's exploit to work, the browser's sandbox must be disabled; on Windows, this can be done by typing the file path of the Chrome application into a command line window and adding the suffix "--no-sandbox" to execute the command A new Chrome window will open without sandbox protection

Unfortunately, malware can also disable the sandbox Attackers could infect PCs, Macs, and Linux in other ways, and the running malware could use the Agarwal exploit to disable the sandbox and take over the machine

Therefore, make sure you are using the best Windows 10 antivirus program or the best Mac antivirus program to prevent infection

There is no official timetable for when a fix for this flaw will be pushed to Chrome, Edge, and related browsers, but it will likely happen within a few days [Google has provided several other emergency updates to Chrome and Chromium in recent months

Since April 13, when this article was posted, Google has quietly distributed an update that fixes a flaw in V8 and another flaw related to the browser's Blink rendering engine The updated Chrome and Chromium versions are both 8904389128

Brave and Edge also appear to have released updates based on the latest version of Chromium, with Brave's version number matching Chromium's and Edge's being 89077476 As of this writing, Opera (7503969171) and Vivaldi (37221852) both use versions based on earlier versions of Chromium

To update Chrome, Edge, or Brave, click on the Settings icon in the upper right corner of the browser window, scroll down and look for something marked "About" at or near the bottom of the menu Sometimes "About" is hidden in the "Help" menu

In Opera and Vivaldi, first click on the browser icon in the upper left corner of the window, scroll down to "Help," and click "About" in the fly-out menu

Select "About" and a new tab will open, indicating that the browser is up-to-date or that the browser must be restarted to complete the installation of updates

Linux users usually need to run the update package of the day from their distribution to get the latest version of their browser

The V8 flaw discovered by the Pwn2Own conflict was classified by Google as due to "insufficient validation of unreliable input in the x86_64 version of V8"

This suggests that V8 can be tripped up by inputting JavaScript that V8 cannot handle Given that the instruction set specification is "x86-64," ie, 64-bit Intel/AMD chipsets, it is possible that this flaw does not affect the 32-bit version of the Chromium browser or other chipsets, but it is not really known

The Blink flaw, which is credited to "Anonymous," is characterized simply as "Blink use after free" That is, it is possible to "reuse" memory freed by Blink in order to attack Chromium

Whoever "Anonymous" is, they will get an unspecified bug bounty from Google

Sadly for Bruno Keith and Niklas Baumstark, the discoverers of the V8 flaw (or maybe not), they have already split the $100,000 Pwn2Own winnings, so they are not eligible for Google's bug bounty Not eligible