Current vulnerabilities in the SQLite database engine impact a wide range of applications and their software packages that use it as a part.

SQLite is a relational database management system used by a broad range of projects such as Google Chrome, Mozilla Firefox, Windows 10, and other well-known programs.

All applications that have an SQLite database are vulnerable to Magellan 2.0; nevertheless, the risk of “web abuse” is smaller than that in Chrome, where Chrome users are vulnerable by default to remote attack by a feature called the WebSQL API.

Exactly a year ago, a crucial vulnerability in SQLite database software was revealed by the same team of experts that exposed billions of vulnerable hacker apps.

Like the original vulnerabilities of Magellan, these new variants are triggered by insufficient input validation of SQL commands provided from a third party by the SQLite database.

An attacker will create a malicious code SQL operation. When this SQLite operation is read by the SQLite database engine, it can execute commands on the attacker’s behalf.

“These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process,” Tencent disclosed in an advisory. ” As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.”

With such vulnerabilities as long as WebSQL was allowed in the browser, Tencent was able to execute commands remotely in Google Chrome. This is a serious vulnerability as it could potentially be used by remote attackers to extensively hack a computer.

Tencent could not see any indication that these vulnerabilities were exploited in the wild and disclosed on November 16, 2019, to Google and SQLite.

These were given CVE IDs CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019-13752, CVE-2019-13753 and patched in Google Chrome 79.0.3945.79 and in SQLite patches on 13 December 2019.

In order to remain protected all software that uses SQLite as an integral feature will update the current version of the software.

Leave a Reply

Your email address will not be published. Required fields are marked *