The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who works for Chinese cybersecurity company Qihoo 360. Frust announced the availability of an exploit for a “zero-day” Chrome vulnerability on Twitter on Wednesday, and a few hours later published a blog post with a technical description of the vulnerability (in Chinese), which actually exists in the Chromium code.
Mitja Kolsek, CEO of ACROS Security and co-founder of third-party patching service 0patch, has confirmed for SecurityWeek that the vulnerability disclosed by Frust has not been patched in the latest versions of Chrome and Edge that were released this week. Chrome 90 was released on Wednesday, but it does not fix this security hole, for which a CVE identifier has apparently yet to be assigned.