Critical Chrome Cyber Bugs: Update NOW

Google Chrome has a bunch of bugs, some of which might pwn your PC or Mac. The security vulnerabilities are fixed in a new update, which you should probably go and get (from the comfort of your home).

As if the government wasn’t giving you enough advice already. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), an agency of the Department of Homeland Security, is warning of arbitrary code execution if exploited.

So find the About menu item. In today’s SB Blogwatch, we keep our distance.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Californian Maneater.

Fend Off These Flaws

What’s the craic? Lindsey O’Donnell reports—“Google Squashes High-Severity Flaws”:

 Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. … The most severe of these flaws could allow for arbitrary code execution.

These included two high-severity vulnerabilities the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). [They] are both use-after-free flaws [which] can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code. … CVE-2020-6450 could be exploited remotely [without] authentication.

CVE-2020-6452 is a heap-based buffer overflow … in the Media component of Chrome. [It] was reported by a researcher under the alias “asnine” on March 9.

And Davey Winder adds—“U.S. Government: Update Chrome 80 Now”:

 The Cybersecurity and Infrastructure Security Agency (CISA) has advised users to update Google Chrome as new high-rated security vulnerabilities have been found. … It went on to state that it “encourages” users and administrators to apply the update [to] version 80.0.3987.162.

CISA, a standalone federal agency under the U.S. Department of Homeland Security (DHS) oversight, is responsible for protecting “the Nation’s critical infrastructure from physical and cyber threats.” … It’s not just CISA that is warning about the need to update. … The Center for Internet Security (CIS) is a non-profit entity that works to safeguard both private and public organizations against cyber threats.

In a worst-case scenario, the attacker would be able to view data, change data or delete data. … There have been no in-the-wild reports of these vulnerabilities being exploited by threat actors, [but] that does not reduce the potential impact.

All it would take … is to get the user to visit, by way of a phishing attack or even redirection from a compromised site, a maliciously crafted web page.

As is often the case, precise detail of the vulnerabilities is not being disclosed at this stage. … Google has said that the Chrome update will roll out over the coming days and weeks, but you really shouldn’t wait. … Checking to see what version you have will also prompt an update to the latest version.

In case you were in any doubt, the U.S. Center for Internet Security warns that the vulns “Could Allow for Arbitrary Code Execution”:

 We recommend the following actions be taken:

  • Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

But the guv’mint? Dont tread on me! Silviu Stahie shrugged—“US Government Advises Everyone to Upgrade”:

 The US Cybersecurity and Infrastructure Security Agency (CISA) is advising companies, institutions and regular users to update their Google Chrome browsers to the latest version as soon as possible. … It makes sense for CISA to get involved when there’s a significant risk. Google Chrome is widely used.

Technically, if these vulnerabilities … were exploitable, attackers would be able to execute arbitrary code in the context of the browser, which would grant them the ability to view, change and delete data. … The good news is that there’s no evidence any of these high-severity vulnerabilities are being exploited in the wild.

Who found the flaws? Google’s Srinivas Sista discloses a “Stable Channel Update for Desktop”:

 ”Man Yue Mo of GitHub Security Lab [and] “asnine.” … We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

As usual, our ongoing internal security work was responsible for a wide range of fixes. [And] various fixes from internal audits, fuzzing and other initiatives.

Chrome has a huge market share. Mark markdavis’ words: [You’re fired—Ed.]

 And thus the extreme danger of a browser monoculture; one of many, actually. It is up to geeks like us to encourage existence and use of alternatives.

And since many bugs could be in the core, and almost all browsers now are actually just Chrome-in-disguise, Firefox is about the only alternative left. … There are really only two, modern, multiplatform, open source browsers left at all: Chrom* and Firefox.

Google has “infected” just about every browser in use that isn’t Firefox. That is … very scary.

In addition to a huge threat to privacy and open standards, It is a security nightmare timebomb ticking away.

But innocent_white_lamb give a knowing wink:

 Unfortunately, there are a few websites that work only with Chrome. I use Firefox for almost all of my web browsing … but there are some websites that just don’t work with anything but Chrome. So I reluctantly load Chrome on the occasions that I need to access those sites.

One of them is the site that I use to order some supplies for my business, so it’s not like I have much of an option. [One is] the ordering site for Pepsi. … A box pops up to enter your username and password. That box will not, under any circumstances, pop up … on Firefox. … There’s probably thousands of users, from corner stores to Walmart, who order stuff through that website.

Meanwhile, who cares about modern, graphical browsers? infolation is informative:

 Since 2008, Lynx has had 5 vulnerabilities whereas Google Chrome had 1,858.

And Finally:

Mark Vidler is back, baby

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Andrew Skudder (cc:by-sa)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 628 posts and counting.See all posts by richi