Update Google Chrome now, U.S. federal agency says.
AFP via Getty Images
The Cybersecurity and Infrastructure Security Agency (CIS) has advised users to update Google Chrome as new high-rated security vulnerabilities have been found. Here’s what you need to know.
CISA, a standalone federal agency under the U.S. Department of Homeland Security (DHS) oversight, is responsible for protecting “the Nation’s critical infrastructure from physical and cyber threats.” In an April 1 posting, CISA confirmed that Google Chrome version 80.0.3987.162 “addresses vulnerabilities that an attacker could exploit to take control of an affected system,” be that Windows, Mac or Linux. It went on to state that it “encourages” users and administrators to apply the update.
Center for Internet Security also issues Google Chrome update advisory
It’s not just CISA that is warning about the need to update Google Chrome. The Center for Internet Security (CIS) is a non-profit entity that works to safeguard both private and public organizations against cyber threats. In a multi-state information sharing and analysis center (MS-ISAC) advisory, it has also warned of multiple vulnerabilities in Google Chrome. The most severe of these could allow an attacker to achieve arbitrary code execution within the context of the browser. What does that actually mean? The answer is it depends upon the privileges that have been granted to the application. Still, in a worst-case scenario, the attacker would be able to view data, change data or delete data.
Are these vulnerabilities being exploited right now?
Although, at the time of writing, there have been no in-the-wild reports of these vulnerabilities being exploited by threat actors, that does not reduce the potential impact upon users who do not ensure the security update is applied as soon as possible. All it would take for an attacker to exploit the vulnerabilities is to get the user to visit, by way of a phishing attack or even redirection from a compromised site, a maliciously crafted web page.
What is known about these high-rated security vulnerabilities in Google Chrome?
As is often the case, precise detail of the vulnerabilities is not being disclosed at this stage so as to allow the update to roll out to as many users as possible first. However, what is known is that there are three high-rated vulnerabilities discovered by external researchers that have been allocated Common Vulnerabilities and Exposures (CVE) identification numbers CVE-2020-6450, CVE-2020-6451 and CVE-2020-6452.
CVE-2020-6450 is described as being a use-after-free vulnerability in WebAudio, reported by Man Yue Mo of the Semmle Security Research Team on March 17.
CVE-2020-6451 is another use-after-free vulnerability in WebAudio, also reported by Man Yue Mo but five days earlier.
CVE-2020-6452 was reported, according to the Google Chrome update release blog, by a user just known as ‘asnine’ on March 9. This one is a heap-buffer overflow in the media component.
A further five security vulnerabilities were discovered by the Google internal security team using a combination of internal audits and fuzzing. Fuzz testing is an automated method that prods code with unexpected inputs in order to reveal potential leaks or crashes that could be exploited by a threat actor. The precise nature of these vulnerabilities has not been disclosed by Google at this point.
Update your Google Chrome browser now to protect against these vulnerabilities
Google has said that the Chrome update will roll out over the coming days and weeks, but you really shouldn’t wait for your browser to update automatically.
You can check to see what version you currently have by going to Help|About Google Chrome, which revealed that my copy had not been updated this morning, for example. The good news is that checking to see what version you have will also prompt an update to the latest version. You will need to relaunch the browser once the update has been installed and will then be protected against all of the vulnerabilities as mentioned earlier.