Google Chrome Impacted By New Magellan 2.0 Vulnerabilities (zdnet.com) 25
An anonymous reader quotes a report from ZDNet: A new set of SQLite vulnerabilities can allow attackers to remotely run malicious code inside Google Chrome, the world's most popular web browser. The vulnerabilities, five, in total, are named "Magellan 2.0," and were disclosed today by the Tencent Blade security team. All apps that use an SQLite database are vulnerable to Magellan 2.0; however, the danger of "remote exploitation" is smaller than the one in Chrome, where a feature called the WebSQL API exposes Chrome users to remote attacks, by default.
Just like the original Magellan vulnerabilities, these new variations are caused by improper input validation in SQL commands the SQLite database receives from a third-party. An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker. In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to "remote code execution, leaking program memory or causing program crashes." All apps that use an SQLite database to store data are vulnerable, although, the vector for "remote attacks over the internet" is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow. Thankfully, Google patched all five Magellan 2.0 vulnerabilities in Google Chrome 79.0.3945.79, released two weeks ago.
The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch -- which remains v3.30.1, released on December 10.
Just like the original Magellan vulnerabilities, these new variations are caused by improper input validation in SQL commands the SQLite database receives from a third-party. An attacker can craft an SQL operation that contains malicious code. When the SQLite database engine reads this SQLite operation, it can perform commands on behalf of the attacker. In a security advisory published today, the Tencent Blade team says the Magellan 2.0 flaws can lead to "remote code execution, leaking program memory or causing program crashes." All apps that use an SQLite database to store data are vulnerable, although, the vector for "remote attacks over the internet" is not exploitable by default. To be exploitable, the app must allow direct input of raw SQL commands, something that very few apps allow. Thankfully, Google patched all five Magellan 2.0 vulnerabilities in Google Chrome 79.0.3945.79, released two weeks ago.
The SQLite project also fixed the bugs in a series of patches on December 13, 2019; however, these fixes have not been included in a stable SQLite branch -- which remains v3.30.1, released on December 10.
IE 8 (Score:5, Funny)
Good thing we use IE 8 at work. We are protected
Re:IE 8 (Score:4, Funny)
Good thing we use IE 8 at work
What the hell, why did you upgrade??
PoC||GTFO (Score:2)
Why does a browser need SQL? (Score:2)
Just curious. It seems strange to need an SQL engine, especially one that can accept input from the outside world, in a browser.
Re:Why does a browser need SQL? (Score:5, Insightful)
Not any stranger than a programming language. SQL is just a DSL for set theory as it relates to persistent data. As soon as you have structured app data stored locally in sufficient volume, SQL will eventually show up.
Those who forget the set theory-related lessons of SQL are doomed to reimplement them poorly.
Re: (Score:2)
A DSL for relation algebra interpreted in set theory, not set theory. It's difficult to see the continuum hypothesis represented in SQL.
Re: (Score:2)
Re:Why does a browser need SQL? (Score:5, Informative)
Just curious. It seems strange to need an SQL engine, especially one that can accept input from the outside world, in a browser.
Because it's better than flat files. More flexible, more reliable; often much faster, too. And browsers have lots of data to persist.
Re: (Score:2)
SQLite uses flat files, though.
With a great deal of care an engineering put into ensuring that they remain consistent and correct even in the face of system failure. Of course, every application can, in theory, do the same, but that's not practical. Much better to re-use that effort than to re-create it.
Re: Why does a browser need SQL? (Score:2)
javascript api for web apps. its an alternative to "localstorage"
Re: Why does a browser need SQL? (Score:2)
Firefox has been using it for as long as I can remember too.
Incomming Ob. Troll (Score:2)
Firefox has been using it
Ob. Troll:
“But, they are automagically protected against SQL bugs, because Rust !”
(Ducks and runs away)
Re: (Score:2)
FWIW, it looks like the vulnerability was caused by letting users create an integer overflow by manipulating SQL statements, which in turn triggers a buffer error and heap overflow in a full-text-search sqlite extension. If sqlite were written in Rust, this indeed probably would have been avoided.
Re: (Score:1)
The end user security is not a problem if the ads work as sold.
I use Firefox (Score:1)
Re: (Score:2)
Re: (Score:1)
Other browser brands are all about SJW politics, a new CoC, enjoy been seeing doing international support work.
Fearmongering. (Score:2)
not exploitable by default
Ok then, moving right along.
Re: (Score:2)
Also, already patched in the current version.
How exactly does this impact Chrome?
Re: (Score:2)
Chrome is thought to be bulletproof... so it's typical that they've already patched this. Anybody running old Chrome needs to update stat.