Help improve security on the web for everyone: Chrome will periodically send some system information and page content to Google so we know about any threats you encounter. Chrome will also send. Enterprise data security at the browser layer. Secure by design, Chrome Browser enables IT to provide trusted, productivity-boosting apps to their users and keep corporate data protected. Get Chrome Browser. The Browser is the New Frontline Defense for Endpoint Security. The browser is no longer just a means of accessing the internet.
Users of Google’s Chrome browser have faced three security concerns over the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can abuse Chrome's sync feature to bypass firewalls. Let’s discuss them one by one.
First up, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been pulled from Google servers and deleted from users’ computers. The extension has been an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that haven’t been opened recently. That allows Chrome to run smoothly on systems with modest resources.
Characteristically terse
Google's official reason for the removal is characteristically terse. Messages displayed on devices that had the extension installed say only, “This extension contains malware” along with an indication that it has been removed. A Google spokesman declined to elaborate.
The longer back story is that, as reported in a GitHub thread in November, the original extension developer sold it last June, and it began showing signs of malice under the new ownership. Specifically, the thread said, a new version contained malicious code that tracked users and manipulated Web requests.
The automatic removal has left some users in the lurch because they can no longer easily access suspended tabs. Users in this Reddit thread have devised several ways to recover their tabs.
AdvertisementHigh-severity zero-day
Next, Google on Thursday released a Chrome update that fixes what the company said was a zero-day vulnerability in the browser. Tracked as CVE-2021-21148, the vulnerability stems from a buffer overflow flaw in V8, Google’s open source JavaScript engine. Google rated the severity as “high.”
Once again, Google provided minimal information about the vulnerability, saying only that the company “is aware of reports that an exploit for CVE-2021-21148 exists in the wild.”
In a post published Friday by security firm Tenable, however, researchers noted that the flaw was reported to Google on January 24, one day before Google’s threat analysis group dropped a bombshell report that hackers sponsored by a nation-state were using a malicious website to infect security researchers with malware. Microsoft issued its own report speculating that the attack was exploiting a Chrome zero-day.
Google has declined to comment on that speculation or provide further details about exploits of CVE-2021-21148.
Sync abuse
Lastly, a security researcher reported on Thursday that hackers were using malware that abused the Chrome sync feature to bypass firewalls so the malware could connect to command and control servers. Sync allows users to share bookmarks, browser tabs, extensions, and passwords across different devices running Chrome.
The attackers used a malicious extension that wasn’t available in the Chrome Web Store. The above link provides a wealth of technical details.
Chrome Security
A Google spokesman said that developers won’t be modifying the sync feature because physically local attacks (meaning those that involve an attacker having access to the computer) are explicitly outside of Chrome's threat model. He included this link, which further explains the reasoning.
None of these concerns means you should ditch Chrome, or even the sync feature. Still, it’s a good idea to check the version of Chrome installed to ensure it’s the latest, 88.0.4324.150.
The usual advice about browser extensions also applies, which is essentially to install them only when they’re truly useful and after vetting the security in user comments. That advice wouldn’t have saved Great Suspender users, however, which is precisely the problem with extensions.
The update patches a total of seven security flaws in the desktop versions of the popular web browser
Google has released an update for its Chrome web browser that fixes a range of security flaws, including a zero-day vulnerability that is known to be actively exploited by malicious actors. The bugs affect the Windows, macOS, and Linux versions of the popular browser.
“Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” said Google about the newly disclosed zero-day vulnerability that stems from a type confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers.
Beyond the zero-day flaw, the new release fixes six other security loopholes, with Google specifically listing four high-severity vulnerabilities where fixes were contributed by external researchers. The first, indexed as CVE-2021-21222, also affects the V8 engine, however this time it is a heap buffer-overflow bug.
The second flaw, tracked as CVE-2021-21225, also resides in the V8 component and manifests as an out-of-bounds memory access bug. As for CVE-2021-21223, it is found to affect Mojo as an integer overflow bug. The fourth high-severity vulnerability, labeled CVE-2021-21226, is a use-after-free flaw found in Chrome’s navigation.
READ NEXT: Google: Better patching could have prevented 1 in 4 zero‑days last year
“Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data,” warned the Center for Internet Security.
As is common with such releases, the tech titan has not disclosed any further details about the security loopholes until most users have had a chance to update their web browsers to the newest available version, mitigating the chance of the vulnerabilities being exploited by threat actors.
The Government Computer Emergency Response Team Hong Kong (GovCERT.HK) issued a security alert advising users and system administrators to update their browsers. “Users of affected systems should update the Google Chrome to version 90.0.4430.85 to address the issue,” said the agency.
Chrome Security Systems
Considering the disclosed vulnerabilities, users would do well to update their browsers to the latest version (90.0.4430.85) as soon as practicable. If you have automatic updates enabled, your browser should update by itself. You can also manually update your browser by visiting the About Google Chrome section, which can be found under Help in the menu bar.