Threat intelligence researchers from Google on Wednesday shed more light on four in the wild zero-day flaws in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year.
The four flaws were reported to Google privately, and the tech giant addressed them with the release of Chrome 32 and Safari 6.1.3 on Tuesday as part of its regularly scheduled updates. According to Google’s threat analysis team, there are no other reports of these vulnerabilities being exploited in the wild since they were fixed by their company, and that exploit code for each is now publicly available.
But Google decided to share more information on these zero-day issues with its partners in an effort to help them better “prevent exploitation. ”
One of the exploits was found in the wild last month and targeted Mac users using Flash. According to Google, the exploit works by luring users into opening a Flash file delivered via email or from a malicious website. These types of attacks have become increasingly rare over the years as more browsers have started blocking plugin-based content by default.
Google’s threat analysis team wouldn’t specify which other major browsers were attacked, but past reports on similar vulnerabilities suggest that Microsoft’s Internet Explorer and Microsoft Edge browsers, as well as Apple’s Safari could be among those affected.
The second vulnerability that Google shared information on Wednesday is an integer overflow bug that was exploited using maliciously crafted SVG files (scalable vector graphics) files. Google addressed this issue with the release of Chrome 32 on Tuesday, and said that there is no evidence indicating it was being actively exploited in the wild.
The other two in the wild zero-day vulnerabilities were both found in IE11 and are related to how IE handles objects in memory. Google said that one of these issues has been exploited very recently by a malicious actor to target Windows users. A proof-of-concept (PoC) exploit was found publicly and Google confirmed that it works. The tech giant also provided more information on mitigation options for this vulnerability, even though it did not provide any specific technical details on either vulnerability. Security firm FireEye has more details here.
“Chrome, and to some extent, Apple’s Safari and Microsoft’s Internet Explorer 11, makes it more difficult for attackers to exploit memory corruption vulnerabilities in applications that run in the browser,” said Kristian Enz of Google’s security team, via email. “We’re releasing this data today so that people can better understand what is going on with all of these issues and protect themselves.”
Google also released a technical whitepaper on the vulnerabilities Wednesday, which provides additional details on each. Google has updated its collective report on Chrome zero-day exploits to include the four new attacks.
Google said that it has seen a significant drop in the use of Flash exploits in recent years, and hopes to eventually “deprecate” support for plugins like Flash. The company is also working with its browser partners to eliminate the use of non-secure website connections.
Google released an update for Chrome yesterday with four security fixes, one of which is a critical flaw being actively exploited in the wild. The remaining ones are high severity bugs that were found internally and fixed before they could be publicly exploited.
At this point, Google has released several Chrome updates over the past month to patch multiple vulnerabilities in the browser, as well as in other software developed by Google. Every single one of them has been rated critical and it appears that the company is under a bit of attack right now. If you haven’t updated your Chrome installation recently, you should do so ASAP!
Interested in learning more about how to combat this malware, as well as others? Best Antivirus for Windows PC discusses the best antivirus for Windows PC’s in 2021.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.
Recent Comments