Google Chrome update deadline is next week
Updated on September 15 with the devious new Chrome “kiosk mode” attack.
It has been a busy few weeks for Chrome with plenty of news for its 3 billion users to digest. And so it would be all too easy to forget a fast-approaching update deadline is now just 72-hours away. Google confirmed that attackers have actively exploited two dangerous Chrome vulnerabilities, and users must not remain unprotected.
The first of those memory threats was made public in a Chrome update on August 21, with Google warning that CVE-2024-7971 was under active exploitation. The nasty surprise was that a second memory vulnerability fixed in that same update—CVE-2024-7965—was also under attack. Google confirmed as much a week later.
The U.S. government’s cybersecurity agency added both threats to its Known Exploited Vulnerabilities (KEV) mandating all federal employees update Chrome by September 16 (and September 18 for the second fix) or stop using their browsers. And while CISA’s deadlines are only mandatory for government staff, many organizations follow its mandates. To put it more simply—there are two actively exploited vulnerabilities, update Chrome now if you have not done so since early September.
As CISA explains, it “maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.”
There have been two desktop Chrome updates since then, on September 2 and 10 respectively, both of which addressed high-severity vulnerabilities, albeit none confirmed as yet to have been actively exploited in the wild.
Somewhat ironically, given its own procession of zero-days—including this week’s Patch Tuesday, one of the serious Chrome vulnerabilities was discovered and disclosed by Microsoft, attributing the attack to North Korean crypto hackers chaining the Chrome vulnerability to an (also now patched) Windows zero-day.
Microsoft suggested this as a reason for users to switch from Chrome to Edge, advising organizations to “encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.”
While I wouldn’t advise that, Microsoft’s warning that Chrome phishing lures need to be stopped at source is critical. And Google is making its own moves to do just that. Google assured this week that its “revamped Safety Check feature will now run automatically in the background on Chrome, taking more proactive steps to keep you safe. It will also inform you of actions it takes, including revoking permissions from sites you don’t visit anymore, flagging potentially unwanted notifications and more.”
Microsoft has just released its latest Microsoft Threat Intelligence podcast, which delves into the nature of the North Korean threat that was behind its disclosure of CVE-2024-7971. shedding some light on the “surprising nature of recent attack chains involving vulnerability in the Chromium engine.”
Chrome comes in for a lot of flack—the downside of market domination—but deserves credit for its constant improvements; albeit you have to overlook the underlying advertising and cookie-drive data collection. This is making a difference, as one bemusing exchange on X this week illustrated. Google’s crackdown on infostealers exploiting Chrome weaknesses is starting to bolt the stable door. Albeit the exchange shows the other side clearly intend to find new ways through.
While the latest worldwide browser market share data shows Edge continuing to build its user base, it’s an exceptionally slow build; Statcounter reports a statistically irrelevant increase from 13.75% from July to 13.78% in August this year, albeit the year-on year growth is more encouraging, with Edge up from 11.15% a year ago.
Updating Chrome to the latest release will address the two exploited zero-days as well as everything fixed since. As ever, check the update has downloaded and then restart your browser to ensure it installs. If you have made the switch to Edge, you need to do the very same—the actively exploited threats impact both browsers.
Sometimes the most dangerous threats hide in plain sight, and can hit even when you have done the right thing and updated. That’s certainly the case with a new warning for Chrome users, with a devious new attack targeting that relies on frustrating you into doing something you know you shouldn’t—which makes it worse.
As picked up by Bleeping Computer, this novel attack—first disclosed by OALABS Research—is “a new technique used by stealers to force victims into entering credentials into a browser, allowing them to be stolen from the browser’s credential store using traditional stealer malware.”
The researchers explain that this opens the door to StealC malware, with the campaign designed specifically to steal Google account credentials. The attack works by tricking the browser into what’s called “kiosk mode,” before “navigating to the login page of the targeted service, usually Google.” This kiosk mode is a full screen web view, and the attack prevents exiting or even moving away from the full-screen.
“This tactic annoys the victim into entering their credentials in an attempt to close the window. Once the credentials are entered, they are stored in the browser’s credential store on disk and can be stolen using stealer malware, which is deployed along with the credential flusher.”
Malicious Google login page
As Bleeping Computer explains, because the usual keys have been disabled, “try other hotkey combos like ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt +Delete’, and ‘Alt +Tab.’” If that doesn’t work by returning focus to your desktop, “Pressing ‘Win Key + R’ should open the Windows command prompt. Type ‘cmd’ and then kill Chrome with ‘taskkill /IM chrome.exe /F.’” Or, failing that, hard reboot your PC.
This just goes to show that you can do all the right things—including updating asap, and there’s still a socially engineered campaign that’s coming for your data. If you do find yourself falling victim to this or anything similar, remember to run an up-to-date antivirus scan on your PC before you continue using as normal.