Tag: Chrome | Page 5

Google Warns of New Chrome Zero-Day Attack

November 18, 2023/in Internet Security

Hi, what are you looking for?
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
By
Flipboard
Reddit
Whatsapp
Whatsapp
Email
Another day, another zero-day attack hitting widely deployed software from a big tech provider.
Google on Friday joined the list of vendors dealing with zero-day attacks, rolling out a major Chrome Desktop update to fix a security defect that’s already been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2023-2033, is described as a type confusion in the Chrome V8 JavaScript engine.
“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the company said in a barebones advisory that credits Clément Lecigne of Google’s Threat Analysis Group for reporting the issue.
The company did not provide any additional details of the bug, the in-the-wild exploitation, indicators of compromise (IOCs) or any guidance on the profile of targeted machines.
Google said access to bug details and links may be kept restricted until a majority of users are updated with a fix. The company said it may also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
The patch is being pushed to Chrome 112.0.5615.121 for Windows Mac and Linux and will roll out via the software’s automatic patching mechanism over the coming days/weeks.
The Chrome zero-day patch comes days after Microsoft acknowledged a zero-day in its flagship Windows operating system was being hit by ransomware actors.

Advertisement. Scroll to continue reading.

Like Google and Microsoft, Apple has also struggled with zero-day exploits and shipped a major patch a week ago to fix a pair of code execution flaws in its iOS, macOS iPadOS platforms.
So far this year, there have been 20 documented in-the-wild zero-day compromises, according to data tracked by SecurityWeek. Security defects in code from Microsoft, Apple and Google account for 12 of the 20 zero-days in 2023.
Related: Microsoft Patches Another Already-Exploited Windows Zero-Day
Related: Apple Ships Urgent iOS Patch for Newly…

Source…

New Emergency Google Chrome Security Update—0Day Exploit …

November 13, 2023/in Internet Security

Google has confirmed that a zero-day security vulnerability in its Chrome web browser is being actively exploited and has issued a rare emergency security update in response. Although Chrome security updates are not, per se, the rarest of beasts, updates that fix a solitary, actively exploited, 0Day vulnerability are far from the norm. You can be sure that when such an emergency security update drops, it’s time to take it seriously and ensure your browser has been protected.
06/08 update below. This article was originally published on June 6.
In a June 5 announcement posted to the Chrome releases blog, Google confirms that the desktop application has been updated to version 114.0.5735.106 for Mac and Linux and 114.0.5735.110 for Windows. All of which, Google says, will “roll out in the coming days/weeks.”
Although the announcement says that two security fixes are included in this update, only one is actually detailed: CVE-2023-3079. The other falls into the routine found by fuzzing and internal audits category, and these are never deemed important enough to detail in the update postings.
CVE-2023-3079 is a type confusion vulnerability in the V8 JavaScript engine and Google’s own Threat Analysis Group discovered the vulnerability. While that is all the technical information that Google is releasing at the moment so as to allow time for the update to be rolled out to as many users as possible first, there is one published detail that is critical. “Google is aware that an exploit for CVE-2023-3079 exists in the wild.”
Which means that you shouldn’t play the waiting game, but instead go check that your browser has, indeed, been updated. The very act of going to check on your Chrome version number will kickstart a download and installation of the security update if it has reached you already. However, to activate the update, you must restart the browser. This latter point is crucial for those of you who tend to run with dozens of tabs open and rarely close the browser at all.
CVE-2023-3079 is the third zero-day of 2023 for Google Chrome. It poses a significant risk, according to Mike Walters, vice-president of vulnerability and threat research at…

Source…

Google urges users to update Chrome to address zero-day vulnerability

November 6, 2023/in Internet Security

Google has released Chrome version 112.0.5615.121 to address a vulnerability that can allow malicious code execution on Windows, Mac, and Linux systems.

Google has released an emergency Chrome security update to address a zero-day vulnerability targeted by an exploit, already in circulation on the internet, that can allow malicious code to be executed.
Google is urging users to upgrade Chrome to the new version, 112.0.5615.121, as soon as possible. The updated version addresses the vulnerability, which affects Windows, Mac, and Linux systems, and is listed as CVE-2023-2033 in the US’ National Vulnerability Database.
Meanwhile, the update will roll out in the coming weeks on Google’s stable desktop channel, the company said.
The high-severity vulnerability was described by Google as a “type confusion” issue in the V8 JavaScript engine. Google Chrome V8 is Google’s open source JavaScript and WebAssembly engine.

“Google is aware that an exploit for CVE-2023-2033 exists in the wild,” the company said in a statement on April 14.
NIST, the US Commerce Dept. agency that runs the National Vulnerability Database, went further in its CVE description about the vulnerability. “Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” NIST said.
Google is yet to release complete details on the vulnerability. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said in the statement.
To update Chrome, users can click the overflow menu on the right side of the menu bar and then go to Help and About Google Chrome. Chrome will automatically check for browser updates and, by default, update the browser. Once the update is complete, users need to restart the browser.

Clement Lecigne of Google’s Threat Analysis Group identified the vulnerability and reported the issue on April 11. In addition to fixing CVE-2023-2033, the Chrome update also fixes a variety of issues detected during internal audits and other initiatives, the company said.
This is the first zero-day vulnerability…

Source…

Google Chrome mimicked to spread malware

October 17, 2023/in Computer Security

Bogus browser updates that mimic notifications from Google Chrome, Mozilla Firefox, and Microsoft Edge are being increasingly used by criminals to install malware on target computers.

Cybersecurity firm Proofpoint issued its latest bulletin on October 17th, where it revealed that the threat group codenamed TA569 had been using such lures to deploy its SocGholish malware for five years.

The group is believed to be an initial access broker – a facilitator for ransomware gangs that sells sensitive data illegally obtained for the purposes of breaking past a target organization’s cyber defenses.

“Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated,” said Proofpoint. “When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware.”

The cybersecurity analyst adds that it is currently monitoring “at least four distinct threat clusters” that use this tactic. However, it adds that not all groups on its radar are using the same lure to deliver the same payload.

“It is important to identify to which campaign and malware cluster the threat belongs, to help guide defender response,” said Proofpoint. “Specific indicators of compromise associated with the identified activities change regularly, as the threat actors are routinely moving their infrastructure and changing details in their payloads.”

Proofpoint recommends other cybersecurity professionals, or concerned amateurs, consult the @monitorsg account on the Infosec Exchange platform, describing it as “a useful public resource for following along with recent details on payloads and infrastructure changes.”