SQLite bug impacts thousands of apps, including all Chromium-based browsers

[silversurfer]

A security vulnerability in the massively popular SQLite database engine puts thousands of desktop and mobile applications at risk.

Discovered by Tencent's Blade security team, the vulnerability allows an attacker to run malicious code on the victim's computer, and in less dangerous situations, leak program memory or cause program crashes.

Because SQLite is embedded in thousands of apps, the vulnerability impacts a wide range of software, from IoT devices to desktop software, and from web browsers to Android and iOS apps.

The bad news, according to Tencent Blade researchers, is that this vulnerability can also be exploited remotely by accessing something as simple as a web page, if the underlying browser support SQLite and the Web SQL API that translates the exploit code into regular SQL syntax.

Firefox and Edge don't support this API, but the Chromium open-source browser engine does. This means that Chromium-based browsers like Google Chrome, Vivaldi, Opera, and Brave, are all affected.

Tencent Blade researchers said they reported this issue to the SQLite team earlier this fall. A fix was shipped out on December 1, with the release of SQLite 3.26.0. The fix was also ported inside Chromium, and later in Google Chrome 71, released last week.

Source: https://www.zdnet.com/article/sqlite-bug...-browsers/