Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.
The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. “The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances” Clement Lecigne said, adding “we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.”
The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently, the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. “Not all vulnerabilities are created equal, and many, if considered on their own, are not cause for undue concern,” says Jim O’Gorman, president of Offensive Security, who continues “if they were flagged by the organization’s security solution, they likely would not have been prioritized in patching. It’s when a group of seemingly minor flaws are chained together that they can be used to devastating effect.”
I report and analyse breaking cybersecurity and privacy storiesGoogle Chrome’s security lead and engineering director, Justin Schuh, has warned that users of the most popular web browser should update “like right this minute.” Why the urgency? Simply put, there is a zero-day vulnerability for Chrome that the Google Threat Analysis Group has determined is being actively exploited in the wild. What does that all mean? Well, a vulnerability is just a bug or flaw in the code and while they all need to be fixed, not all of them either can be or are being exploited. A zero-day vulnerability is one that threat actors have managed to create an exploit for, a way of doing bad things to your device or data before the good guys even knew the vulnerability existed. In other words, they have zero days in which to issue a fix. The bad news for users of Google Chrome is that this particular zero-day vulnerability, CVE-2019-5786, is already being exploited by the bad guys. Which is why it’s so important to make sure your browser has been updated to the latest patched version that fixes the vulnerability.
The problem explained
Although information regarding CVE-2019-5786 remains scarce currently, Satnam Narang, a senior research engineer at Tenable, says it is a “Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer.” Some further digging by Catalin Cimpanu over at ZDNet suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. “The PDF documents would contact a remote domain with information on the users’ device –such as IP address, OS version, Chrome version, and the path of the PDF file on the user’s computer,” Cimpanu says. These could just be used for tracking purposes, but there is also the potential for more malicious behavior. The ‘use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. That’s why Google has issued the urgent update warning, as the potential is there for exploits to be crafted that could enable an attacker to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser’s built-in sandbox protection.
What to do next
Luckily this is an easy problem to fix, just make sure you do it as soon as you’ve finished reading this! First, head over to the drop-down menu in Chrome (you’ll find it at the far right of the toolbar – click on the three stacked dots) and select Help|About Google Chrome. You could also type chrome://settings/help in the address bar if you prefer, which takes you to the same dialog box. This will tell you if you have the current version running or if there is an update available. To be safe from this zero-day exploit, make sure that it says you are running version 72.0.3626.121 (Official Build). If not, then Chrome should go and fetch the latest version and update your browser for you automatically.
Travis Biehn, technical strategist and research lead at Synopsys, said “Google Chrome is some of the most robustly engineered C and C++ code on the planet, the security teams working on Chrome are world-class. Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and C++. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”
Normally updates happen in the background when you close and reopen your computer’s browser. But if you haven’t closed your browser in a while, you might see a pending update:
On your computer, open Chrome.
At the top right, look at More .
If an update is pending, the icon will be colored:
Green: An update’s been available for 2 days.
Orange: An update’s been available for 4 days.
Red: An update’s been available for 7 days.
To update Google Chrome:
On your computer, open Chrome.
At the top right, click More .
Click Update Google Chrome. If you don’t see this button, you’re on the latest version.
The browser saves your opened tabs and windows and reopens them automatically when it restarts. If you’d prefer not to restart right away, click Not now. The next time you restart your browser, the update will be applied.
With more than 64% of the global market as of last month, Google’s Chrome browser is by far the most popular desktop web browser by a massive margin. The next closest is Microsoft’s Internet Explorer, and its global market share totalled less than 11% in December 2018. Chrome is the browser of choice for so many reasons, not the least of which are things like simplicity and speed. When it comes to speed though, things aren’t always straightforward. Chrome is typically lightning fast when loading webpages, but your browser speed can really take a hit when there are tons of tabs open. I know I pretty much always have tons of tabs open.
Here’s the explanation and download link:
How it works Whenever you find yourself with too many tabs, click the OneTab icon to convert all of your tabs into a list. When you need to access the tabs again, you can either restore them individually or all at once.
When your tabs are in the OneTab list, you will save up to 95% of memory because you will have reduced the number of tabs open in Google Chrome.
Privacy assurance We take your privacy seriously. Your tab URLs are never transmitted or disclosed to either the OneTab developers or any other party, and icons for tab URL domains are generated by Google. The only exception to this is if you intentionally click on our ‘share as a web page’ feature that allows you to upload your list of tabs into a web page in order to share them with others. Tabs are never shared unless you specifically use the ‘share as a web page’ button.
How do you make money? OneTab is free of charge and is not designed to make money. It was created because we badly *needed* it for our own use, and we wanted to share it with the world.
Additional Benefits Depending on how many scripts are running inside your tabs, moving them to OneTab can also speed up your computer by reducing the CPU load. We have also had reports that this also contributes to your computer resuming from sleep more quickly.
More Features OneTab lets you easily export and import your tabs as a list of URLs. You can also create a web page from your list of tabs, so that you can easily share your tabs with other people, other computers, or with your smartphone or tablet.
You can drag and drop tabs in your OneTab list to reorder them. You can also hold down the Ctrl or Cmd key while restoring tabs and they will remain in your OneTab list (meaning you can use OneTab as a way of quickly launching a set of commonly used tabs). OneTab supports retina displays. Note that OneTab is designed to leave in place any ‘pinned’ tabs you have.
You will not lose your list of tabs if you accidentally close the OneTab window, if your browser crashes, or if restart your computer.
2018 Update: We’ve been working like crazy to make OneTab much much better – including implementing lots of your feature suggestions. We’re full time on it now and have great momentum. Thank you for all of your thoughtful feedback, please keep it coming.
As quickly as one technology trend arrives, there is another one right behind it, so it is getting increasingly difficult to keep up with all this digital innovation that is readily available at our fingertips.
In the last twenty years, we have gone from the very early stages of mobile phone usage to a world where we can do our grocery shopping with a few clicks on a smartphone. The capabilities of the Internet seem endless and the stats show us just how much impact the Internet has had over the last few years.
This infographic reveals some very interesting digital information that might surprise you. For example, did you know that across the world there are over 4 billion Internet users? A massive 2 billion of that population is located in Asia and there are now 3.2 billion social media users (as of Jan 1st, 2018).
It is hard to imagine a world without the Internet now that it has become so integral to our daily routines. Social media is not just a way for people to connect with friends; it is also a strong business marketing channel with 90% of businesses now actively using social media.
Watching videos on YouTube has become a regular hobby for all generations and particularly the younger generations. There are now more than 1.5 billion YouTube users worldwide and anyone can quickly record a video using their smartphone or create their own tutorial on a webcam.
52.2% of website traffic is now via mobile phones and we have seen changes in website development to reflect this by making websites more mobile friendly. In 2018 over a billion voice search queries per month were recorded and this is a trend that is expected to continue through 2019.