Second Chrome Zero-day Exploit Dropped on Twitter

This exploit only works when user open Google Chrome and Microsoft Edge after disables the sandbox security feature.

Couple of days ago, a Indian security researcher have published the POC code for one of the zero-day vulnerability on Google Chrome. Now another zero-day exploit code have been dropped on twitter. 

This is the second zero-day remote code execution exploit has been released on Twitter this week that affects Google Chrome (before version 90), Microsoft Edge, and likely other Chromium-based browsers. 

The exploit code dropped by the Frust causes the Windows Notepad application to open. frust's remote code execution vulnerability is not capable of escaping Chromium's sandbox security feature. Chromium's sandbox is a security feature that prevents exploits from executing code or accessing files on host computers. Unless a threat actor chains the new zero-day with an unpatched sandbox escape vulnerability, the new zero-day in its current state cannot harm users unless they disable the sandbox.

First zero-day was drooped on Monday, so yesterday (April 14), Google release the Chrome 90 to fix both the zero-day vulnerability. Furthermore, Chrome 90 fixes 37 security bugs, including a zero-day used at the Pwn2Own competition. Chrome 90 come with the Stable desktop channel, and it includes security improvements, a new AV1 encoder, and the default protocol changed to HTTPS.

Frust also released the video demonstration the vulnerability to prove the PoC exploit code.
Note that Frust exploit only works when you open Google Chrome and Microsoft Edge using the --no-sandbox argument, which disables the sandbox security feature. After disabling the sandbox, the exploit could launch Notepad on Google Chrome till version 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the latest versions of  browser.