Tencent Blade Team found serious SQLite vulnerability

Recently, the Tencent Blade Team discovered a set of SQLite vulnerabilities called “Magellan 2.0”, allowing hackers to remotely run various malicious programs on the Chrome browser. There are 5 vulnerabilities in this group, numbered CVE-2019-13734, CVE-2019-13750, CVE-2019-13751, CVE-2019- 13752, and CVE-2019-13753. All applications using the SQLite database will be affected by the Magellan 2.0 vulnerability.

Magellan 2.0 is some vulnerabilities that exist in SQLite (Former was: Magellan 1.0 ). These vulnerabilities were found by Tencent Blade Team and verified to be able to exploit remote code execution in Chromium render process. As a well-known database, SQLite is widely used in all modern mainstream operating systems and softwares, so this vulnerability has a wide range of influence. SQLite and Google had confirmed and fixed these vulnerabilities. We will not disclose any details of the vulnerability at this time, and we are pushing other vendors to fix this vulnerability as soon as possible.

SQLite Remote Code Execution Vulnerability

Image: Wiki Common

According to the official blog post of the Tencent Blade Security Team, in addition to all Chromium-based browsers and Google Home smart speaker devices, many popular products including Apple ‘s iPhoneiPadMacBookiMac, Apple Watch, and Apple TV were also affected.

Currently, the Tencent Blade Team has cooperated with the official security teams of Google, Apple, Facebook, Microsoft, and SQLite to promote the progress of bug fixes. At the same time, the Tencent Blade Team also reminds users to pay attention to system and software update notifications in a timely manner. It is necessary to upgrade SQLite to the latest 3.26.0 version.

Google Chrome 71, released last week, has also patched the vulnerability. Chromium-based browsers such as Vivaldi and Brave use the latest version of Chromium. However, Opera is still running older versions of Chromium and will still be affected.