Google Chrome Urgency You Have 72 Hours to Update Your Browser || Alert

Chrome users need to act quickly, as a critical update deadline is just 72 hours away. Recently, Google confirmed that hackers have exploited two serious vulnerabilities in Chrome, and users need to update their browsers to stay protected.

Sep 15, 2024 - 15:34
 0
Google Chrome Urgency You Have 72 Hours to Update Your Browser || Alert

Google Chrome Urgency—You Have 72 Hours to Update Your Browser
Updated on September 15 with details of a new “kiosk mode” attack targeting Chrome users.

Chrome users need to act quickly, as a critical update deadline is just 72 hours away. Recently, Google confirmed that hackers have exploited two serious vulnerabilities in Chrome, and users need to update their browsers to stay protected.

The first issue, CVE-2024-7971, was publicly disclosed in a Chrome update on August 21. It was soon revealed that another memory flaw, CVE-2024-7965, fixed in the same update, was also being exploited. A week later, Google confirmed both vulnerabilities were actively being attacked.

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) added these threats to its Known Exploited Vulnerabilities (KEV) list, requiring federal employees to update Chrome by September 16 (September 18 for the second issue) or stop using the browser altogether. While CISA’s deadlines are mandatory only for government workers, many organizations follow these guidelines. Simply put, there are two active vulnerabilities—update Chrome now if you haven't done so since early September.

CISA explains that its KEV catalog serves as a critical resource for managing vulnerabilities and should be used by organizations to prioritize their security efforts.

There have been two subsequent Chrome updates, on September 2 and 10, both of which addressed high-severity issues, though none have been confirmed as actively exploited. Ironically, one of these serious Chrome vulnerabilities was discovered and reported by Microsoft, attributing the attack to North Korean crypto hackers. Microsoft also patched a Windows zero-day vulnerability exploited alongside the Chrome flaw.

Microsoft has urged users to switch to Edge, citing its SmartScreen feature that blocks malicious websites, including phishing sites and malware hosts. While it’s not necessary to switch browsers, Microsoft’s warning about phishing threats on Chrome is important. Google, for its part, is enhancing security by making its Safety Check feature more proactive, automatically running in the background, revoking permissions from unused sites, and flagging unwanted notifications.

Microsoft recently released a podcast through its Threat Intelligence team, highlighting the North Korean threat responsible for revealing the CVE-2024-7971 vulnerability and offering insight into recent attack chains targeting the Chromium engine.

Despite ongoing vulnerabilities, Chrome’s continuous improvements deserve credit. Recent efforts have helped close gaps that hackers have previously exploited. However, the battle isn’t over, as attackers will always look for new ways to breach security.

While Edge continues to slowly grow its user base, Chrome remains dominant in the market. According to Statcounter, Edge’s market share increased only marginally from 13.75% in July to 13.78% in August, though the year-on-year growth has been more significant, rising from 11.15% a year ago.

Updating Chrome to the latest version will protect against the two zero-day vulnerabilities and other issues resolved since. After downloading the update, make sure to restart your browser to ensure the fixes take effect. If you’ve switched to Edge, make sure to update that browser as well, since these threats impact both.

Sometimes, even after updating, new threats emerge. A recently reported attack on Chrome involves a devious “kiosk mode” tactic that can trick users into revealing their credentials. According to Bleeping Computer and OALABS Research, this method forces victims into entering their login details by locking the browser in full-screen mode, preventing them from closing or navigating away.

This attack, primarily designed to steal Google account credentials, uses StealC malware to exploit the credentials stored in Chrome’s database. Since typical hotkeys are disabled, users are left frustrated and might enter their credentials in an attempt to close the window. Researchers suggest using alternative key combinations like "Alt + F4," "Ctrl + Shift + Esc," or "Ctrl + Alt + Delete." If that fails, opening the Windows command prompt ("Win Key + R," then typing "cmd") and force-closing Chrome with the command 'taskkill /IM chrome.exe /F' might work. If all else fails, a hard reboot of the PC is recommended.

This incident highlights that even with timely updates, socially engineered attacks can still compromise your data. If you ever fall victim to such an attack, it’s important to run a full antivirus scan on your system before resuming normal use.

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow