If you use any of the affected products e.g. Google Chrome, Mozilla Firefox or Android WebView (full list provided below), please make certain to update them to the latest version available.
In the closing days of December, security researchers from the Tencent Blade team disclosed five vulnerabilities that affect the SQLite database. This is used in products such as Google Chrome, Android WebView, Mozilla Firefox and Windows 10 (among others):
Why should these vulnerabilities be considered important?
Due to the widespread use of the affects products and the severity of the vulnerabilities the potential for a large impact is present. These vulnerabilities if exploited could allow “remote code execution in Chromium render process.
However, the CVSS base scores (defined) for all but one vulnerability (at 8.8: High) are 6.5 Medium severity. Thus, these vulnerabilities are NOT critical but medium to high severity. The rationale for this is explained by the creator of SQLite, D. Richard Hipp. While the comment is from 2018 it is still valid since most applications which use SQLite are not impacted by remote attacks:
“Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk” (Source).
While Chromium based browsers effectively do allow “random internet users to run arbitrary SQL”; Google have already issued an update (see below). Other browsers will follow e.g. Opera did so on the 27th of December upgrading to the same version of Chromium that Google issued namely, 79.0.3945.79
How can I protect my organisation or myself from these vulnerabilities?
If you use any of the following products, please make certain to update to the most recent versions available. Google made available Chrome version 79.0.3945.79 on the 10th of December to resolve these vulnerabilities with Opera following on the 27th of December:
Affected Products (among others):
Chrome/Chromium prior to version 79.0.3945.79
Smart devices using old version of Chrome/Chromium.
Browsers built with old version of Chromium/Webview.
Android Apps that uses old version of Webview and can access any web page.
Software that uses the old version of Chromium and can access any web page.