While this zero-day vulnerability has already been publicly disclosed, it has not yet been patched in the latest version of Chrome or Edge.
In order for Agarwal’s exploit to work, it needs to be chained to another vulnerability that could allow it to get out of of the Chromium sandbox. To test the exploit, BleepingComputer launched both Chrome and Edge with the –no-sandbox flag enabled and from there, the news outlet was able to use the exploit to launch the calculator on a system running Windows 10.
Although releasing a zero-day exploit on Twitter is controversial on its own, some users on the social network took issue with the fact that Agarwal didn’t credit Bruno Keith and Niklas Baumstark from Dataflow Security that first discovered the vulnerability. However, Agarwal claims that he wasn’t aware that they had discovered the vulnerability when releasing his exploit.
Google is expected to release Chrome 90 to the Stable channel soon and we’ll have to wait to see if the upcoming version of its browser includes a fix for this remote code execution vulnerability.