On the Chrome V8 engine“BadKernel”vulnerability briefings-vulnerability warning-the black bar safety net

ID MYHACK58:62201678361
Type myhack58
Reporter 佚名
Modified 2016-08-24T00:00:00


! Recently, the national information security vulnerabilities library CNNVD received 3 6 0 mobile Guard Alpha team on the Chrome V8 engine“BadKernel”vulnerability is the case of the message send. The vulnerability exists in the Chrome V8 engine of the previous versions, a remote attacker can use this vulnerability to use the affected engine products for remote attacks. Because the vulnerability affects a wide range, the harm is more serious, according to the CNNVD the relevant provisions of this vulnerability were included and assigned the number CNNVD-2 0 1 6 0 8-4 1 4 in. A, vulnerability introduction Chrome V8 Google Chrome browser is used to parse the JavaScript engine. Chrome V8 engine 3. 2 0 to 4. 2 version of in the presence of a remote code execution vulnerability vulnerability number: CNNVD-2 0 1 6 0 8-4 1 4 in. The vulnerability is due to source code“observe_accept_invalid”the exception type is mistakenly written as“observe_invalid_accept”, causing kMessages key objects of information leakage, which can exploit the vulnerability to execute arbitrary code. Second, the vulnerability to hazards 1, due to Tencent to browse the services provided by the X5SDK in the X5 kernel integration of Chrome V8 engine, which is affected by the vulnerability. According to Tencent browse to the service description, The use of X5SDK the micro-channel, mobile QQ, QQ space, jingdong, 5 8 the same city, Sohu video, Sina news and other Android mobile phone APP may be affected by the vulnerability. 2, based on Android 4.4. 4 to 5. 1 version of the system of the WebView control to develop the mobile APP can be can be affected by the above vulnerability. 3, a remote attacker via the following means of attack: (1)to induce the user to scan two-dimensional code; (2)induce users to click on malicious links. 4, The use of the vulnerability may cause the following hazards: (1)user privacy, such as contacts, SMS, voice recording, video recording, etc.; (2)The user property damage, such as stealing payment password, wallet password, etc.; (3)remote control your phone. Third, the repair measures 1, Using the Chrome V8 engine 3. 2 0 to 4. 2 Version the manufacturer: The https://chromium. googlesource. com/v8/v8/+/ js#7 5 observe_invalid_accept to observe_accept_invalid; and 2, the potentially affected user: (1)by the following way to detect whether this vulnerability affects: Browser if access the following Web page, if you can take to kMessages object, pop the object then there is a vulnerability, if the pop-up undefined then there is no vulnerability. ! (2)as affected by the vulnerabilities, please timely attention to vendor-released patches. 3, in the vulnerability did not fix the former, users are advised not to click on untrusted links. This report by the CNNVD technical support units—Beijing qihoo Technology Co., Ltd. support. CNNVD will continue to track the vulnerability of the relevant circumstances, the timely release relevant information. If necessary, can be used with CNNVD timely contact. Contact phone: 010-82341439