Homeland Security cybersecurity agency says update Google Chrome as attackers hone in on new security flaws.
Within the space of just three short weeks, Google has patched no less than five potentially dangerous vulnerabilities in the Chrome web browser.
These are not your common vulnerabilities either, but rather ones known as zero-days. A zero-day being a vulnerability that is being actively exploited by attackers while remaining unknown to the vendor or threat intelligence outfits.
Once the vendor becomes aware of the security flaw, day zero, it can start to mitigate against exploitation but not before. The attackers, therefore, have a head start.
What do we know about these zero-day Chrome flaws?
The latest two zero-days to be discovered are classed as high-severity in nature and affect Chrome for Windows, Mac and Linux.
The precise details of CVE-2020-16013 and CVE-2020-16017 have not yet been made public as Google restricts access to such information until the majority of users have updated.
However, the Department of Homeland Security cybersecurity agency, CISA, has advised that an attacker “could exploit one of these vulnerabilities to take control of an affected system.”
I can confirm that CVE-2020-16013 relates to the V8 JavaScript engine for Chrome and involves an incorrectly handled security check. Exploitation would most likely require an attacker to direct the victim to a malicious web page.
CVE-2020-16017, on the other hand, would appear to be a memory corruption vulnerability within the Chrome website sandboxing feature known as Site Isolation.
CISA urges users to update Google Chrome in light of ongoing attacks
The bad news is that attackers already know precisely what the vulnerabilities are and how to exploit them. CISA has confirmed that the security vulnerabilities have been “detected in exploits in the wild.”
Unsurprisingly, CISA is encouraging users to apply the necessary updates that Google has been rolling out this past week, as soon as possible.
That should be the good news, of course, but life is never that simple. Automatic updating ensures that Chrome is updated to the latest version once the browser is restarted.
Not everyone will have automatic updates enabled, and not all of those who do will reboot Chrome on a regular basis.
Users should go to the Help option from the ‘three-dot’ menu upper right and select About Google Chrome. This will kickstart the download of the latest version if not already downloaded and prompt you to restart the browser.
The latest version, as I write, being 86.0.4240.198 (Official Build) to be precise.
The dangers of being slow to update apps
Here’s the thing: some people are slow to update their browsers, which leaves an attack window open for days, weeks, or even longer in some cases. This is particularly apparent when it comes to the Chrome browser app.
When Google very quickly updated Chrome following one of the zero-day vulnerabilities from earlier in the month, CVE-2020-16010, users were slow to secure themselves.
“24 hours after the updated version of Chrome was available on the Play Store,” Hank Schless, senior manager of security solutions at Lookout, told me, “we observed that roughly half of Android users had updated their app.”
As well as the automatic update issue mentioned before, Schless points to older Android devices that don’t support the updated software as being partly to blame.
“Out-of-date mobile devices can be just as dangerous as out of date apps,” he says, “this leaves the user’s personal or work data open to attackers that exploit vulnerabilities patched in later versions of the mobile app or operating system.”
New research, published November 18 by Menlo Security, has revealed just how dangerous these vulnerabilities could be. Of the 49 different versions of Google Chrome being used by customers as of November 17, some 61% are running a .86 build. That, in and of itself, leaves plenty of people unprotected against these current threats, but it gets worse. A lot worse. Of those customers using a version .86 build of Chrome, 83% of them don’t have the very latest security update and are still vulnerable to attack.
I have reached out to Google concerning the spate of zero-day vulnerabilities across the last few weeks and will update this article if any statement is forthcoming.