Blade Team, the security arm of Chinese tech giant Tencent, has announced the discovery of a serious security flaw in the SQLite database engine as 'widely used in all modern mainstream operating systems and software', including browsers based on the Chromium engine.
A relational database management system (RDBMS) designed for embedded use, SQLite was first released in August 2000 and quickly became the go-to solution for relational database needs where a heavier client-server implementation would be inappropriate. It's used in everything from games to keep track of player inventory to operating systems to keep track of system settings, and thus a security flaw in SQLite is a security flaw in a vast swathe of software.
That makes the issue discovered by Tencent's Blade Team, then, considerably concerning: a remote code execution (RCE) flaw in SQLite itself, which can be triggered as simply as sending the victim a malicious email or directing them to a malicious web page.
'Magellan is a remote code execution vulnerability discovered by Tencent Blade Team that exists in SQLite,' Blade Team explains of the flaw, details of which it has chosen to keep private. 'As a well-known database, SQLite is widely used in all modern mainstream operating systems and software, so this vulnerability has a wide range of influence.'
The flaw has been confirmed as affecting a wide range of software with SQLite embedded, including the Chromium web browser engine on which Google's Chrome browser - among others - is based. 'After testing Chromium was also affected by this vulnerability, Google has confirmed and fixed this vulnerability,' the company continues. 'We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.'
The flaw has been proven to be exploitable in embedded systems as well as PC-based client software, with Tencent using it to exploit the Google Home voice-activated assistant system. While Google has patched Chromium for the flaw, with the release of version 71.0.3578.80, it is not known whether Google Home is still vulnerable. A few more details, but no specifics or exploit code, can be found on the security announcement.
February 24 2020 | 12:00