Google updates Chrome for 2 billion Windows users as dangerous hackers have been exposed

Google has released its latest Chrome update for 2B Microsoft Windows, fixing three high-severity vulnerabilities. As always, users are urged to update their browsers immediately. As for the timing, just as this latest update has affected users, so too have details of a dangerous exploit of a Chrome security threat that has tricked users into visiting a website with ‘a hidden script called’ a zero-day exploit launched and gave the attackers complete control. control over the victim’s PC.”

Windows users can now update their browser to 130.0.6723.69/.70, which should download automatically. Make sure to reboot twice and make sure the update is installed. While one of the three fixes affects extension usage, the other two are more typical memory risks with the underlying V8 engine that powers Chrome. All three fixes were disclosed by third-party security researchers.

ForbesApple confirms surprising decision for all iPhone users: bad news for GoogleBy means of Zak Duffman

This update comes as Kaspersky’s research team published details of a Chrome vulnerability that Google disclosed and fixed in May. That team has now “shared in detail the vulnerabilities exploited by the attackers and the game they used as bait (we had to develop our own server for this online game).”

The exploited zero-day is CVE-2024-4947, which I reported on at the time and which Google quickly warned “an exploit exists in the wild.” As with two of this week’s fixes, that threat was a “type confusion in V8.” The US government’s cybersecurity agency added CVE-2024-4947 to its Known Exploited Vulnerability catalog and ordered all federal employees to update their PCs. There’s no word yet on active exploits this time around, although that could change.

Kaspersky attributes these attacks to the APT group Lazarus, “a highly sophisticated and versatile Korean-speaking threat actor.” The backdoor attack used the group’s Manuscrypt tool: the malware that Lazarus “has been using since 2013,” Kaspersky says. “We have documented its use in more than 50 unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, IT and telecommunications operators, gaming companies, media outlets, casinos, universities, and even security researchers .”

The attack was picked up on the PC of a home user who had visited detankzone(.)com. “This website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version. But that was just a disguise.” The dangerous script was hidden behind the site. “Visiting the website was all it took to get infected – the game was just a distraction.”

Microsoft also published an advisory warning that a North Korean threat actor had exploited Chrome’s zero-day, but Kaspersky’s report delves into the details behind the attack, a pretty stark warning to users about how easily they can be compromised. after breadcrumbs left by attack sets as they browse the web.

So why such mainstream V8 vulnerabilities? Kaspersky explains that “the heart of every web browser is the JavaScript engine. Google Chrome’s JavaScript engine is called V8: Google’s own open-source JavaScript engine. For lower memory consumption and maximum speed, V8 uses a fairly complex JavaScript compilation pipeline, which currently consists of one interpreter and three JIT compilers.” CVE-2024-4947 was a vulnerability in a new optimized compiler within v8.

ForbesNew Google Play Store Warning: You should stop installing these appsBy means of Zak Duffman

For nearly all of those 2 billion Chrome users, the only two details that matter are how attackers trick their victims into visiting malicious sites, through social media posts and phishing emails, which generate visits to a website which was specifically set up to carry out the attack. In this case the game. This is why clicking on such links is so discouraged. Once the exploit is executed, an attacker will begin to retrieve your data. Starting with cookies and login details in Chrome, but possibly extended to your PC itself. That brings us to the second critical point: keep your browser up to date.

“Historically,” says Kaspersky, half of the bugs discovered or exploited in Google Chrome and other web browsers have affected their compilers. Massive changes to the web browser code base and the introduction of new JIT compilers inevitably lead to a large number of new vulnerabilities.” Chrome is working on its V8 sandbox to reduce such memory vulnerabilities, while Microsoft Edge’s approach doesn’t expose them in the same way. This is why Microsoft has pushed Edge as a more secure alternative to Chrome, using alerts exactly like this one.

The ironic twist here is that Kaspersky is reporting on a Google vulnerability just as the software is being removed from the Google Play Store following the US ban. After all, timing, as they say, is everything. Regardless, Kaspersky’s report exposes the danger of V8 memory vulnerabilities, with two more very serious threats now resolved. Users should ensure that they immediately update to the latest version of the browser.