A critical vulnerability has been discovered in the SQLite database software which exposes billions of apps to hackers.
The flaw was found by cyber security researchers at Tencent’s Blade and it was dubbed as ‘Magellan’. This vulnerability would permit remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications.
SQLite is a widely used lightweight disk-based relational database management system which needs only less support from operating systems or external libraries. So, it is compatible with almost every device, platform, and programming language. It is the widely used database engine in the world at present by millions of applications and literally billions of deployments, including IoT devices, macOS and Windows apps, including major web browsers, such as Adobe software, Skype and more.
Chromium-based web browsers such as Google Chrome, Opera, Vivaldi, and Brave also support SQLite and so a remote hacker can easily aim at users of affected browsers by persuading them to visit a specially crafted web-page.
The researchers reported in their blog that after checking Chromium was affected by this vulnerability, Google has confirmed it and fixed it.
In order to address this issue, SQLite has released updated version of its software 3.26.0
Google has patched this issue by releasing Chromium version 71.0.3578.80 and pushed the patched version to the latest version of Google Chrome and Brave web-browsers.
The researchers had successfully built a proof-of-concept exploit using the Magellan vulnerability and successfully tested their exploit against Google Home.
They have not revealed the technical details and proof-of-concept exploit code to the public as most of the applications cannot be patched soon.
Magellan vulnerability has not been exploited in the wild, but even then, it is notable as it is used by everybody including Adobe, Apple, Dropbox, Firefox, Android, Chrome, Microsoft etc.
Those who are using this software are highly recommended to update their systems and affected versions to the latest release as soon as it is available.