Google has just patched Chrome’s eighth zero-day hole of the year so far.
Zero-days are bugs for which there were zero days you could have updated proactively…
…because cybercriminals not only found the bug first, but also figured out how to exploit it for nefarious purposes before a patch was prepared and published.
So, the quick version of this article is: go to Chrome’s Three-dot menu (⋮), choose Help > About Chrome, and check that you have version 107.0.5304.121 or later.
Two decades ago, zero-days often became widely known very quickly, typically for one (or both) of two reasons:
- A self-spreading virus or worm was released to exploit the bug. This tended not only to draw attention to the security hole and how it was being abused, but also to ensure that self-contained, working copies of the malicious code were blasted far and wide for researchers to analyse.
- A bug-hunter not motivated by making money released sample code and bragged about it. Paradoxically, perhaps, this simultaneously harmed security by handing a “free gift” to cybercriminals to use in attacks right away, and helped security by attracting researchers and vendors to fix it, or come up with a workaround, quickly.
These days, the zero-day game is rather different, because contemporary defences tend to make software vulnerabilities harder to exploit.
Today’s defensive layers include: additional protections built into operating systems themselves; safer software development tools; more secure programming languages and coding styles; and more powerful cyberthreat prevention tools.
In the early 2000s, for instance – the era of super-fast-spreading viruses such as Code Red and SQL Slammer – almost any stack buffer overflow, and many if not most heap buffer overflows, could be turned from theoretical vulnerabilities into practicable exploits in quick order.
In other words, finding exploits and “dropping” 0-days was sometimes almost as simple as finding the underlying bug in the first place.
And with many users running with
Administrator privileges all the time, both at work and at home, attackers rarely needed to find ways to chain exploits together to take…