Tag: Chrome | Page 23

Google Chrome users still vulnerable to multiple zero-day attacks

November 20, 2020/in Internet Security

As business users and consumers have moved most of their workloads to the cloud, more and more of their work is being done in web browsers such as Google Chrome as opposed to in applications installed locally on their systems.

This means that the web browser is now an essential yet vulnerable entry point that if compromised, could give cybercriminals access to a user’s entire digital life including their email, online banking, social networks and more. However, despite this risk, users are failing to update to the latest version of Google Chrome according to new research from Menlo Security.

The cybersecurity firm found that 49 different versions of Google’s browser are being used by its customers. While nearly two thirds (61%) of them are running Chrome 86 which is the latest build, 28 percent are still running Chrome 85. Of Menlo Security’s customers that are running Chrome 86, a staggering 83 percent are running vulnerable versions of the browser.

Although Google regularly releases updates for Chrome, users aren’t updating their browsers in a timely fashion. According to Menlo Security’s data, users are often waiting multiple days to install the latest patches for their browser if they do so at all.

The dangers of patch fatigue

As Google and other software developers have begun releasing patches more regularly, many users have succumb to patch fatigue after being constantly bombarded with updates.

While an ‘if it’s not broken why fix it’ mentality may work in the physical world, doing so online can leave your data and systems at risk of cyberattacks. This is because cybercriminals know that users aren’t updating their systems which allows them to exploit known vulnerabilities in popular software even if patches are available.

Over the past five weeks, Google has issued patches for five zero day vulnerabilities in its Chrome browser which the CISA says are being actively exploited in the wild. However, most organizations and users have yet to patch their browsers.

Keeping Chrome regularly updated can help you avoid falling victim to any potential attacks leveraging known vulnerabilities and Google makes it easy to know when an update is available by displaying a colored icon at the…

Source…

Tianfu Cup Hackers Exploit Microsoft Windows, Google Chrome, and iOS in Minutes

November 10, 2020/in Internet Security

How easy is it hack some of the world’s most popular software, such as Microsoft’s Windows 10 and Google’s Chrome? Well, quite easy it seems, at least for some of the world’s best hackers. That’s what happened at this year’s Tianfu Cup in China, where brand new exploits were used against leading services.

If you are unfamiliar with the Tianfu Cup, it is one of the biggest hacking competitions in the world and the largest in China. Held in central China city Chengdu each year, the competition has become a proving ground for security researchers.

It is also a place where the best tech software can test their mettle against zero-day exploits. Over the two-day event, security researchers test how popular software can handle zero-day vulnerability threats.

Hackers at the Tianfu Cup are looking to exploit apps and programs with never-seen-before attacks. If they succeed a point is earned, and the researchers with the most points win prizes. Last year, Microsoft Edge was successfully breached, and it seems Windows 10 was this year.

Many mature and hard targets have been pwned on this year’s contest. 11 out of 16 targets cracked with 23 successful demos:
Chrome, Safari, FireFox
Adobe PDF Reader
Docker-CE, VMware EXSi, Qemu, CentOS 8
iPhone 11 Pro+iOS 14, GalaxyS20
Windows 10 2004
TP-Link, ASUS Router
👍

— TianfuCup (@TianfuCup) November 8, 2020

While that’s not good news for Microsoft, the company is certainly not alone. In fact, many leading platforms and services were compromised during the event. It is worth noting companies welcome these hackathons for exposing issues in software that can be fixed before an in-the-wild exploit is made.

“Many mature and hard targets have been pwned on this year’s contest,” organizers said today. The following services were successfully breached:

iOS 14 running on an iPhone 11 Pro
Samsung Galaxy S20
Windows 10 v2004 (April 2020 edition)
Ubuntu
Chrome
Safari
Firefox
Adobe PDF Reader
Docker (Community Edition)
VMWare EXSi (hypervisor)
QEMU (emulator & virtualizer)
TP-Link and ASUS router firmware

Fifteen Chinese hacking groups took part in the Tianfu Cup this year. Each hacker gets three five-minute windows to attempt to…

Source…

Google squashes two more Chrome bugs under active attacks

November 3, 2020/in Mobile Security

The updates come on the heels of news of attacks exploiting another zero-day in Chrome in tandem with a previously-unknown Windows flaw

Two weeks after patching an actively-exploited vulnerability affecting Chrome for desktop, Google is squashing another zero-day bug in the browser’s version for Windows, macOS, and Linux, as well as pushing out an update for Chrome for Android that plugs yet another security loophole that is being exploited in the wild.

Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1

— Ben Hawkes (@benhawkes) November 2, 2020

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” said the tech giant about the newly-disclosed flaw that stems from an inappropriate implementation in the V8 JavaScript engine and impacts the browser’s desktop versions.

The bug, classified as high-severity, was discovered by researchers from Google’s Threat Analysis Group and Project Zero. Details about the vulnerability are very sparse due to Google’s policy that clearly states that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

Per the National Vulnerability Database, the flaw “could allow an attacker to potentially exploit heap corruption via a crafted HTML page.”

Users would do well to update their browsers to the latest version (86.0.4240.183) as soon as possible. If you have automatic updates enabled, your browser should update by itself. Otherwise you’ll have to do it manually by navigating to the About Google Chrome section, which can be found under Help in the side menu.

The update also brings fixes for a total of 10 vulnerabilities, with Google specifically listing seven high-risk flaws where the fixes were contributed by external…

Source…

Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser – Threatpost

October 22, 2020/in Internet Security

Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser Threatpost
Google patches Chrome zero‑day under attack We Live Security
Google releases Chrome security update to patch actively exploited zero-day ZDNet
New Chrome 0-day Under Active Attacks – Update Your Browser Now The Hacker News
Chrome zero-day in the wild – patch now! Naked Security
View Full Coverage on read more

“zero day exploit” – read more

Tag Archive for: Chrome