Friday, November 22, 2024

Google Chrome 3-Week Update Deadline—New Warning To Change Your Browser

Must read

Updated September 3 with new Chrome fixes for high-severity vulnerabilities.

Chrome is under attack, with Google warning that two-separate vulnerabilities are being actively exploited and the U.S. government ordering all federal employees to update their browsers within 21-days. Microsoft—which discovered and disclosed the first of these vulnerabilities—has just gone even further, recommending that users should be “encouraged” to quit Chrome and use a different browser instead.

First to those two active exploits and the ongoing attacks. Google issued a Chrome update on August 21, patching a raft of vulnerabilities and warning that CVE-2024-7971 was under active exploitation. Then on August 26, Google updated its advisory to warn that a second vulnerability—CVE-2024-7965—had also come under attack post the initial warning notice. CISA added the two threats to its Known Exploited Vulnerability (KEV) catalog, mandating Chrome updates by mid-September.

ForbesMicrosoft Reveals Bad News For 70% Of Windows Users—Upgrade Warning Gets Worse

Microsoft’s security team discovered and disclosed the first of the two vulnerabilities, and has just issued a report, warning the known exploitation relates to crypto thefts, attributing “with high confidence” those attacks to a North Korean threat actor.

According to Microsoft, the threat actor behind the CVE-2024-7971 attacks is Citrine Sleet, which “primarily targets financial institutions… and individuals managing cryptocurrency, for financial gain.” Microsoft warns that Citrine Sleet “creates fake websites masquerading as legitimate cryptocurrency trading platforms and uses them to distribute fake job applications or lure targets into downloading a weaponized cryptocurrency wallet or trading application based on legitimate applications.”

While Microsoft clearly recommends keeping Chrome, Edge and other Chromium browsers updated, it also says that protecting against such exploits “necessitates not only keeping systems up to date, but also security solutions that provide unified visibility across the cyberattack chain.” It advises “encourag[ing] users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”

Microsoft is firmly of the view that Edge is more secure than Chrome, and is more likely to protect its enterprise and home users from malware. We know this because Microsoft has been repeatedly criticized for its controversial Edge ads targeting new Windows installs, that are seemingly intensified when Chrome is the default browser.

While there is a case for Edge over Chrome with regards to malware protection, it feels somewhat askew for a Microsoft product that competes with Chrome to be recommended in a security advisory for a CVE disclosed by Microsoft, now riding a wave of Chrome generated publicity. Chrome dominates the desktop browser market, with more than four-times the number of Edge users worldwide.

What it does do is shift the narrative from the vulnerability—or more realistically, the chain of multiple vulnerabilities in an attack—to the initial phishing lure. Microsoft is saying it’s more likely to block the source. And while Google is pushing hard to make up ground with its own Safe Browsing, it has some catching up to do.

Where before, Safe Browsing “used a list stored on your device to check if a site or file was known to be potentially dangerous… updated every 30 to 60 minutes,” Google says it found “that the average malicious site actually exists for less than 10 minutes.” And so now it will “will check sites against Google’s server-side list of known bad sites in real time… we expect to block 25% more phishing attempts.”

The active attacks steer victims to a malicious domain, which Microsoft details as “voyagorclub[.]space.” Once connected to the domain, “the zero-day RCE exploit for CVE-2024-7971 was served” and then “the FudModule rootkit downloaded.”

Microsoft explains that “this rootkit employs direct kernel object manipulation (DKOM) techniques to disrupt kernel security mechanisms, executes exclusively from user mode, and performs kernel tampering through a kernel read/write primitive.”

The attackers then exploited a Windows vulnerability patches during August’s Patch Tuesday. Microsoft believes that this exploitation does not suggest “any link between the reported CVE-2024-38106 exploit activity and this Citrine Sleet exploit activity, beyond exploiting the same vulnerability.”

As for Citrine Sleet and the specifics here. The threat actor has likely links to North Korea’s nation-state cyber capabilities, which is unsurprising given the country’s focused efforts on crypto hacking. This should be viewed as a serious threat, and in a world where exploits are multi-purposed and swap hands, that threat can quickly expand beyond theft into ransomware or purer espionage.

ForbesSamsung Confirms Radical New Upgrade For A Few Lucky Galaxy Users

Google has updated Chrome again since the zero-days were addressed and Microsoft’s report was issued. The September 2 update brings the stable desktop channel for Windows and Mac to 128.0.6613.119/.120. The update patches two high-severity vulnerabilities, both of which—again—are memory issues.

  1. CVE-2024-8362: a high-severity use after free vulnerability in WebAudio.
  2. CVE-2024-7970: a high-severity out of bounds write in V8.

No active exploitation warnings this time, albeit given what we have seen recently we can’t rule out that changing. The issues are the type of vulnerabilities that can lead to active exploitation, both with the potential for an attack to destabilize a system or execute rogue code. Successful attacks often leverage a chain of multiple weaknesses.

Despite Microsoft’s push for Windows users to switch from dominant Chrome to Edge, it is making little impact on the install base. Looking at the latest numbers, Neowin has just reported that “Google Chrome is still in its own unreachable realm, while all the other browsers share the rest of the market… All the way down at the sub-15% area sits Microsoft Edge, the world’s second most popular browser. It currently has 13.78%, which is just 0.03 points higher than the previous month.”

There are maybe some encouraging signs, though, with Edge’s “year-over-year growth in August 2024 more impressive at 2.63 points. (11.15% in August 2023).” But Google remains ambivalent about Microsoft’s blatant push for users to ditch Chrome for Edge in the past, buoyed by the sheer resilience of its Chrome’s install base. That said, Microsoft’s appeal to enterprise CISOs to focus on the browsers in use to better defend an enterprise network plays is indeed a more joined-up, “unified” approach.

Updating your system to this latest release clearly addresses the zero-days; whether you decide to shift from Chrome to Edge, just make sure you update; this latest threat impacts both browsers and active attacks against unpatched systems continue.

Latest article