The fix for the issue 590118 is insufficient to protect against the bindings interception. While they can’t be accessed by triggering accessors on the |modules| object anymore, it’s still possible to trap the set operation for |Binding. create| using the Object. prototype. create. The obtained constructor can then be used to take over the the built-in extensions system and gain access to native functions.
Chrome 49.0.2623.108 (Stable)
Chrome 50.0.2661.49 (Beta)
Chrome 51.0.2687.0 (Dev)
Chromium 51.0.2692.0 + Pepper Flash (Release build compiled today)
Attachment: CVE-2016-1674.zip