Earlier this week Google released an update for the Chrome web browser that it urged users to ensure was implemented immediately. That was because the Threat Analysis Group at Google had uncovered a critical zero-day vulnerability that was already being exploited in the wild. Now a Google security engineer, Clement Lecigne, has warned that another zero-day vulnerability that is also being exploited, impacting Windows 7 users, was being used together with the Chrome exploit to take over Windows systems. Google is now urging all Windows 7 users to upgrade to Windows 10, as well as make sure their Chrome browser is up to date, to escape the attention of the combined threat.
The Windows zero-day is a local privilege escalation in the win32k.sys kernel driver that allows it to escape the security sandbox. The vulnerability can be used to elevate system privileges by an attacker who might then be able to execute remote malicious code. “The vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call is called under specific circumstances” Clement Lecigne said, adding “we strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows. To date, we have only observed active exploitation against Windows 7 32-bit systems.”
The Google Threat Analysis Group disclosed the zero-day to Microsoft who have said they are working on a fix but, as of yet, there is no indication of how long this might take. Currently, the status of this vulnerability has to remain as a critical and unpatched one. For this reason, Google is advising users of Windows 7 should upgrade to Windows 10 and apply patches from Microsoft as soon as they become available. “Not all vulnerabilities are created equal, and many, if considered on their own, are not cause for undue concern,” says Jim O’Gorman, president of Offensive Security, who continues “if they were flagged by the organization’s security solution, they likely would not have been prioritized in patching. It’s when a group of seemingly minor flaws are chained together that they can be used to devastating effect.”
I report and analyse breaking cybersecurity and privacy storiesGoogle Chrome’s security lead and engineering director, Justin Schuh, has warned that users of the most popular web browser should update “like right this minute.” Why the urgency? Simply put, there is a zero-day vulnerability for Chrome that the Google Threat Analysis Group has determined is being actively exploited in the wild. What does that all mean? Well, a vulnerability is just a bug or flaw in the code and while they all need to be fixed, not all of them either can be or are being exploited. A zero-day vulnerability is one that threat actors have managed to create an exploit for, a way of doing bad things to your device or data before the good guys even knew the vulnerability existed. In other words, they have zero days in which to issue a fix. The bad news for users of Google Chrome is that this particular zero-day vulnerability, CVE-2019-5786, is already being exploited by the bad guys. Which is why it’s so important to make sure your browser has been updated to the latest patched version that fixes the vulnerability.
The problem explained
Although information regarding CVE-2019-5786 remains scarce currently, Satnam Narang, a senior research engineer at Tenable, says it is a “Use-After-Free (UAF) vulnerability in FileReader, an application programming interface (API) included in browsers to allow web applications to read the contents of files stored on a user’s computer.” Some further digging by Catalin Cimpanu over at ZDNet suggests that there are malicious PDF files in the wild that are being used to exploit this vulnerability. “The PDF documents would contact a remote domain with information on the users’ device –such as IP address, OS version, Chrome version, and the path of the PDF file on the user’s computer,” Cimpanu says. These could just be used for tracking purposes, but there is also the potential for more malicious behavior. The ‘use-after-free’ vulnerability is a memory corruption flaw that carries the risk of escalated privileges on a machine where a threat actor has modified data in memory through exploiting it. That’s why Google has issued the urgent update warning, as the potential is there for exploits to be crafted that could enable an attacker to remotely run arbitrary code (a remote code execution attack) whilst escaping the browser’s built-in sandbox protection.
What to do next
Luckily this is an easy problem to fix, just make sure you do it as soon as you’ve finished reading this! First, head over to the drop-down menu in Chrome (you’ll find it at the far right of the toolbar – click on the three stacked dots) and select Help|About Google Chrome. You could also type chrome://settings/help in the address bar if you prefer, which takes you to the same dialog box. This will tell you if you have the current version running or if there is an update available. To be safe from this zero-day exploit, make sure that it says you are running version 72.0.3626.121 (Official Build). If not, then Chrome should go and fetch the latest version and update your browser for you automatically.
Travis Biehn, technical strategist and research lead at Synopsys, said “Google Chrome is some of the most robustly engineered C and C++ code on the planet, the security teams working on Chrome are world-class. Despite Google’s security program, and despite their active collaboration with leading security researchers through generous bug bounty programs, it still suffers from memory corruption attacks related to the use of C and C++. Luckily for the public, Chrome ships with an effective mechanism for update and patching – one that can get a critical fix out to end users in real time.”
Normally updates happen in the background when you close and reopen your computer’s browser. But if you haven’t closed your browser in a while, you might see a pending update:
On your computer, open Chrome.
At the top right, look at More .
If an update is pending, the icon will be colored:
Green: An update’s been available for 2 days.
Orange: An update’s been available for 4 days.
Red: An update’s been available for 7 days.
To update Google Chrome:
On your computer, open Chrome.
At the top right, click More .
Click Update Google Chrome. If you don’t see this button, you’re on the latest version.
The browser saves your opened tabs and windows and reopens them automatically when it restarts. If you’d prefer not to restart right away, click Not now. The next time you restart your browser, the update will be applied.
With more than 64% of the global market as of last month, Google’s Chrome browser is by far the most popular desktop web browser by a massive margin. The next closest is Microsoft’s Internet Explorer, and its global market share totalled less than 11% in December 2018. Chrome is the browser of choice for so many reasons, not the least of which are things like simplicity and speed. When it comes to speed though, things aren’t always straightforward. Chrome is typically lightning fast when loading webpages, but your browser speed can really take a hit when there are tons of tabs open. I know I pretty much always have tons of tabs open.
Here’s the explanation and download link:
How it works Whenever you find yourself with too many tabs, click the OneTab icon to convert all of your tabs into a list. When you need to access the tabs again, you can either restore them individually or all at once.
When your tabs are in the OneTab list, you will save up to 95% of memory because you will have reduced the number of tabs open in Google Chrome.
Privacy assurance We take your privacy seriously. Your tab URLs are never transmitted or disclosed to either the OneTab developers or any other party, and icons for tab URL domains are generated by Google. The only exception to this is if you intentionally click on our ‘share as a web page’ feature that allows you to upload your list of tabs into a web page in order to share them with others. Tabs are never shared unless you specifically use the ‘share as a web page’ button.
How do you make money? OneTab is free of charge and is not designed to make money. It was created because we badly *needed* it for our own use, and we wanted to share it with the world.
Additional Benefits Depending on how many scripts are running inside your tabs, moving them to OneTab can also speed up your computer by reducing the CPU load. We have also had reports that this also contributes to your computer resuming from sleep more quickly.
More Features OneTab lets you easily export and import your tabs as a list of URLs. You can also create a web page from your list of tabs, so that you can easily share your tabs with other people, other computers, or with your smartphone or tablet.
You can drag and drop tabs in your OneTab list to reorder them. You can also hold down the Ctrl or Cmd key while restoring tabs and they will remain in your OneTab list (meaning you can use OneTab as a way of quickly launching a set of commonly used tabs). OneTab supports retina displays. Note that OneTab is designed to leave in place any ‘pinned’ tabs you have.
You will not lose your list of tabs if you accidentally close the OneTab window, if your browser crashes, or if restart your computer.
2018 Update: We’ve been working like crazy to make OneTab much much better – including implementing lots of your feature suggestions. We’re full time on it now and have great momentum. Thank you for all of your thoughtful feedback, please keep it coming.
It’s been in the works for nearly a year and Google’s great ad-pocalypse is now upon us. On Thursday, the Chrome browser will begin to automatically filter out ads that don’t meet certain quality standards. Your browsing experience is about to change a little bit. Here’s what you need to know.
In April of last year, the news first broke that Google planned to integrate some form of ad-blocking into its browser that would be on by default. Since then we’ve seen a gradualrollout of the feature, beginning with the ability to mute autoplay videos with sound on the sites of your choosing. Now, Google going all-in with a set of criteria for what ads will be kosher in Chrome.
Along with its fellow ad giant Facebook, Google is a member of the Coalition for Better Ads, an industry group that has performed research on what forms of web advertising annoys people the most. It’s created a list of the 12 types of web experiences that should ideally be avoided by advertisers. Now Google is going to enforce that list with Chrome, which is used by over half of all people accessing the web with a browser.
On Wednesday, the company published a blog post detailing how the system will work. Initially, Google will take a sample of various pages on a specific domain and analyze whether that page is serving any of the offending ad categories. It’ll be given a score of “Passing, Warning, or Failing.” Sites that don’t manage to get a passing grade will be notified by Google and they can review an ad experience report for details on what needs to change. If a site ignores multiple warnings, its ads will be blocked by default after 30 days.
If a user visits a site that’s being filtered by Chrome, they’ll see a message in the address bar that gives them the option to still allow ads—on mobile, users will see a pop-up at the bottom of the screen that will give them the same option. Yes, pop-up ads are blocked, and Google will be informing you with a pop-up notification.
There’s plenty of reason to celebrate this change. The internet is getting harder to navigate, and more annoying with advertisers demanding more obtrusive experiences every day. Google claims that since it kicked off this initiative, “42% of sites which were failing the Better Ads Standards have resolved their issues and are now passing.” So it seems that a lot of site owners got the message before it could even become a problem.
There’s also cause to be skeptical of Google’s altruistic goals. Sure, it’s telling advertisers not to be evil, but it’s also hoping that a better experience will mean fewer people feel the urge to download a third-party ad blocker. That’s good for the internet, which is largely funded by ads. But it’s particularly good for Google, which controls around 42 percent of the US digital ad market and 75.8 percent of the search ad market, according to research from eMarketer. It wouldn’t be so great if Google, with all its power, decided to follow in the footsteps of services like Adblock Plus, which offers companies the opportunity to pay their way onto an acceptable ads list. Representatives for Google have assured us on multiple occasions that the company isn’t offering any kind of paid whitelisting now, and isn’t planning to do so. But things could change.
For now, enjoy the better web before Google fully consumes it all and does whatever it wants.