Monday, December 17, 2018

'Magellan' A SQLite Vulnerability Affects Millions Of Deployments and Billions of Devices and Browsers.

Patched Brave Browser

Tencent's Blade security team has discovered a critical vulnerability in one of the most widely used databases, SQLite. It's usage is so large that any vulnerability could exposes millions of database deployments to hackers, like this one does.

Tencent's Blade security researchers have named the vulnerability as 'Magellan'. According to the team this SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.

Due to the nature of SQLite, being a lightweight relational database management system that requires minimal support from operating systems or external libraries, it has lead to it's wide adoption. Therefore SQLite is deployed and compatible with almost every device, platform, and programming language. This lead to a lot of usage running into billions of deployments, including IoT devices, Windows and MAC OS apps, and some of the major browsers.

All Chromium-based web browsers,  Google Chrome, Opera, Vivaldi, and Brave support SQLite through the Web SQL database API, are susceptible to remote attacks targeting users of affected browsers via a maliciously crafted URL.

The researchers have not revealed the exact code of the fault and awaiting vendors to fix the issue. So far SQLite and Google has released patches. SQLite version 3.26.0 is released to address the issue and Google released Chromiumn 71.0.3578.80 to patch the issue. The fix has been pushed the to the latest version of Google Chrome and Brave web-browsers. If you have auto update disabled, update your web browsers. The developers should update their SQLite and notify users of the software.

"Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite. As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible." Tencent mentioned.
"We have reported all the details of the vulnerability to Google and they have fixed the vulnerability ( commit ). If your product uses Chromium, please update to the official stable version 71.0.3578.80( Release updates). If your product uses SQLite, please update to 3.26.0 ( Release updates)."

No comments: