Quote:A researcher has dropped working exploit code for a zero-day remote code execution (RCE) vulnerability on Twitter, which  he said affects the current versions of Google Chrome and potentially other browsers, like Microsoft Edge, that use the Chromium framework.
 
Security researcher Rajvardhan Agarwal tweeted a  GitHub link to the exploit code — the result of the Pwn2Own ethical hacking contest held online last week — on Monday.
 
“Just here to drop a chrome 0day,” Agarwal wrote in his tweet. “Yes you read that right.”
 
Pwn2Own contest rules require that the Chrome security team receive details of the code so they could patch the vulnerability as soon as possible, which they did; the latest version of the Chrome V8 JavaScript engine patches the flaw, Agarwal said in a comment posted in response to his own tweet.
 
However, that patch has not yet been integrated into official releases of downstream Chromium-based browsers such as Chrome, Edge and others, leaving them potentially vulnerable to attacks. Google is expected to release a new Chrome version —including security fixes— sometime on Tuesday, though it’s unclear if patches for the bug will be included.
 
As of the time of publication, a Chrome update had not yet been released and Google had not yet replied to an email by Threatpost requesting comment about the flaw and the update.