Chrome users have faced three security vulnerabilities in the past 24 hours | GeekComparison

Chrome users have faced three security vulnerabilities in the past 24 hours

Google’s Chrome browser users have faced three security vulnerabilities in the past 24 hours in the form of a malicious extension with more than 2 million users, a just-fixed zero-day, and new information about how malware can compromise Chrome’s syncing feature. abuse firewalls. Let’s discuss them one by one.

First, the Great Suspender, an extension with more than 2 million downloads from the Chrome Web Store, has been taken off Google’s servers and removed from users’ computers. The extension was an almost essential tool for users with small amounts of RAM on their devices. Since Chrome tabs are known to consume large amounts of memory, the Great Suspender temporarily suspends tabs that have not been opened recently. This allows Chrome to run smoothly on systems with modest resources.

Characteristic succinct

Google’s official reason for the removal is typically brief. Messages displayed on devices with the extension installed only say “This extension contains malware” along with an indication that it has been removed. A Google spokesperson declined to comment.

The longer backstory is that, as reported in a GitHub thread in November, the original extension developer sold it last June and it started showing signs of malice under the new ownership. In particular, the thread said, a new version contained malicious code that tracked users and manipulated web requests.

The automatic removal has let some users down as they no longer have easy access to suspended tabs. Users in this Reddit thread have come up with several ways to restore their tabs.

Very serious zero day

Then, on Thursday, Google released a Chrome update that fixes what the company said was a zero-day vulnerability in the browser. Tracked as CVE-2021-21148, the vulnerability stems from a buffer overflow flaw in V8, Google’s open source JavaScript engine. Google rated the severity as ‘high’.

Again, Google provided minimal information about the vulnerability, saying only that the company is “aware of reports that an exploit for CVE-2021-21148 exists in the wild.”

However, in a post published Friday by security firm Tenable, researchers noted that the flaw was reported to Google on January 24, a day before Google’s threat analysis group released a bomb threat that nation-state-sponsored hackers were using a malicious website. to infect security researchers with malware. Microsoft has released its own report speculating that the attack took advantage of a Chrome zero-day.

Google has declined to comment on that speculation or provide further details about exploits of CVE-2021-21148.

Synchronize Abuse

Finally, a security researcher reported Thursday that hackers were using malware that abused the Chrome sync feature to bypass firewalls so that the malware could connect to command and control servers. Sync allows users to share bookmarks, browser tabs, extensions, and passwords across devices running Chrome.

The attackers used a malicious extension that was not available in the Chrome Web Store. The link above provides a wealth of technical details.

A Google spokesperson said developers will not change the sync feature because physical local attacks (ie attacks where an attacker can access the computer) are explicitly outside of Chrome’s threat model. He added this link, which further explains the reasoning.

None of these worries mean ditching Chrome or even the sync feature. Still, it’s a good idea to check the installed version of Chrome to make sure it’s the latest, 88.0.4324.150.

The usual advice about browser extensions also applies, which is to install them only if they are really useful and after checking the security in user comments. That advice wouldn’t have saved Great Suspender users, though, which is exactly the problem with extensions.

Leave a Comment