Emerging vulnerabilities and continuous patching have been at odds with each other ever since the information age began. Flaws are often simple enough that a patch can mitigate any issues they present, but once in a while we’re confronted with a flaw which shouldn’t be taken lightly. One such vulnerability, discovered toward the end of 2018, is the SQLite Magellan bug.
The menace of Magellan
Magellan is a critical vulnerability in SQLite, a lightweight, relational database management system that comes embedded in thousands of applications and is widely deployed across multiple platforms and operating systems. Due to SQLite’s widespread use, the impact of this vulnerability is extensive. Tencent Blade Team, the experts that discovered the vulnerability, revealed that attackers can remotely execute malicious code on affected devices, leak program memory, crash applications, and cause denial of service (DoS) attacks.
Who is affected by the Magellan vulnerability?
Basically any software or device that uses SQLite—which could be in the millions—is prone to attack. Software such as Dropbox, Firefox, and the entire Adobe suite can fall prey to this vulnerability; IoT devices, mobile devices, and desktops are also at risk. Google Chrome, the most widely used web browser, suffers the most from this vulnerability because it supports SQLite through the deprecated Web SQL database API.
A simple exploit, such as tricking a user into accessing a specially crafted webpage, can trigger Magellan. It should be noted that this vulnerability doesn’t just affect Chrome, but every Chromium-based web browser, including Opera, Vivaldi, and Brave.
Resolving the Magellan vulnerability
Following the release of a Chromium update that patches the Magellan vulnerability, Google issued a similar fix for Chrome in version 71.0.3578.80, generally referred to as Chrome 71. SQLite rolled out version 3.26.0 to address the Magellan flaw, but when it comes to updating the SQLite database engine, each change has the possibility of corrupting data and wreaking havoc in your application ecosystem.
Tencent Blade Team didn’t reveal the proof-of-exploit to the public, nor is there any evidence of this vulnerability being exploited in the wild. Given the circumstances, it might be better to wait to patch each of your SQLite applications until each vendor rolls out patches of their own. With the number of applications that use SQLite, we can safely declare that 2019 will be a busy year for patching. But how equipped are you to deal with the mountain of patches that may come out each week?
This is where our completely automated patching tool, Patch Manager Plus, comes into play. With Patch Manager Plus, all you have to do is to create an automated patch deployment (APD) task, then combine it with the Test and Approve feature to deploy security updates from any vendor safely and automatically. Don’t take our word for it. Try all of Patch Manager Plus’ features free for 30 days.
** Optrics Inc. is an Authorized ManageEngine partner
The original article can be found here: