RTE security researcher Richard Tarnas recently discovered a vulnerability in Google Chrome that allows remote attackers to execute arbitrary code on the target computer, bypass security controls, and execute malicious files.
RTE says that the vulnerability, CVE-2016-3896, was discovered in the Google Chrome teamviewer web browser extension, which was included in version 37.0.2313.17 of the browser.
Rte notes that the extension does not require a username and password, making it a relatively easy target.
Google has patched the vulnerability in version 38.0 and has posted a security bulletin for the browser, which includes a list of the vulnerabilities.
The browser is built on Google’s Chromium open source project, and Google Chrome is not listed in the vulnerability list because it does not rely on Google WebKit and Chromium.
A Google spokesperson said in a statement that it has updated its browser to fix the issue.
Ternas discovered the vulnerability while investigating an exploit in the teamviewers teamview extension.
A similar issue has been found in the latest version of the Firefox web browser.
An exploit in teamview is also used to bypass the security features in Chrome.
A teamview exploit is also possible in the Firefox browser, but Tarnak found that a teamview teamview plugin in the browser allows attackers, who have compromised the victim computer, to gain remote code execution via remote code injection.
Tarna said that a potential attack on a teamView user account would allow the attacker to gain access to the remote Chrome process, and he found that the teamView teamview vulnerability was a common issue in other browsers.
A browser update in the Mozilla Firefox browser can help to mitigate the vulnerabilities, but a user must run the browser with a signed user account.
A user who runs the browser without a signed Firefox user account will not be able to log into the target system.
The exploit in RTP allows attackers with elevated administrative privileges to execute code in arbitrary code that is executed by the browser in a sandboxed environment.
The vulnerability has been fixed in the versions of Firefox that are in use by Google Chrome and the Google Webkit browser extensions, as well as in versions of the Chrome browser that use the Chrome teamView extension.
The Chrome team view extension has not been updated to address the RTP vulnerability.
Rtp security researcher Adam Schoen found that Google Chrome does not provide any way to verify whether a user is running a trusted teamview user account or an untrusted teamview account.
“Google Chrome does NOT verify the credentials of trusted or untrouted teamview users,” he wrote in a blog post.
“There are several ways to authenticate a user in the Chrome web browser, including via the browser’s UI, by requesting a trust-level certificate (if the user is not using an untrustworthy teamview browser), and by providing a trusted certificate.
The trusted certificate only allows the user to access trusted sites and apps.”
RTP said that this lack of trust is a security vulnerability, because it allows attackers who have gained elevated administrative access, to bypass browser security features and execute code that they have the right privileges to do.
The Google Chrome security team has released a patch for the Rtp vulnerability.
The RTP team has not responded to a request for comment.