Google warns 2 billion Windows users: update Chrome now as dangerous hackers are exposed

Google has issued its latest Chrome update warning for 2 billion Microsoft Windows, with three high-severity vulnerabilities fixed. As always, users are urged to update their browsers immediately. As for the timing, just as this latest update has affected users, so have the details of a dangerous exploit of a Chrome security threat that tricked users into visiting a website with “a hidden script that ” launched a zero-day exploit and provided attackers with complete information. control over the victim’s PC.”

Those attacks exploited the same type of vulnerability fixed in this latest version. Windows users can now update their browsers to 130.0.6723.69/.70which should download automatically. Just be sure to reboot twice to ensure the update is installed. While one of the three fixes affects the use of extensions, the other two are “type confusion” memory threats for the V8 engine that powers Chrome.

ForbesApple discovers a new ‘innovative’ iPhone update: how will Samsung react?By Zak Doffman

This update comes as Kaspersky The research team has published details of a Chrome vulnerability that Google disclosed and fixed in May. That team has now shared “in great detail the vulnerabilities exploited by the attackers and the game they used as bait (we had to develop our own server for this online game).”

The exploited zero-day is CVE-2024-4947, which reported at the time and so Google quickly warned that “an exploit exists in the wild.” That threat was also a “type confusion in V8.” The US government’s cybersecurity agency added CVE-2024-4947 to its catalog of known exploited vulnerabilities and ordered all federal employees to update their PCs. There is no word yet on new exploits, although that could change; Once again, the type of vulnerabilities this time are more or less the same.

Kaspersky attributes the attacks to the APT Lazarus group, “a highly sophisticated and multifaceted Korean-speaking threat actor.” The backdoor attack took advantage of the group’s Manuscrypt tool — malware that Lazarus “has been employing since at least 2013,” Kaspersky says. “We have documented its use in more than 50 unique campaigns targeting governments, diplomatic entities, financial institutions, military and defense contractors, cryptocurrency platforms, telecom and IT operators, gaming companies, media, casinos, universities and even security researchers”.

The attack was detected on the PC of a home user, who had visited detankzone(.)com. “This website resembled a professionally designed product page for a decentralized finance (DeFi) NFT (non-fungible token)-based multiplayer online battlefield (MOBA) tank game, which invited users to download a trial version. But that was just a disguise.” The dangerous script was hidden behind the site. “Visiting the website was all it took to get infected; the game was just a distraction.”

Microsoft also posted a warning that a North Korean threat actor had exploited Chrome’s zero-day, but Kaspersky’s report goes deeper into the details behind the attack, a pretty stark warning to users about how easily they can be compromised. , following the breadcrumbs left by sets of attacks while browsing the web.

So what are these common V8 vulnerabilities due to? Kaspersky explains that “the heart of every web browser is its JavaScript engine. Google Chrome’s JavaScript engine is called V8, Google’s own open source JavaScript engine. For lower memory consumption and maximum speed, V8 uses a fairly complex JavaScript compilation process, currently consisting of an interpreter and three JIT compilers.” CVE-2024-4947 was a vulnerability in a new, optimized compiler within v8.

ForbesApple confirms a surprising decision for all iPhone users: bad news for GoogleBy Zak Doffman

For almost all of those 2 billion Chrome users, the only two details that matter are how attackers lure victims to visit malicious sites, through social media posts and phishing emails, driving visits to a website specifically configured to execute the attack. In this case the game. This is why it is not recommended to click on such links. Once the exploit is executed, an attacker begins exfiltrating your data. Starting with cookies and credentials within Chrome, but potentially expanding to your PC. Which brings us to the second critical point: keep your browser updated.

“Historically,” Kaspersky says, half of the bugs discovered or exploited in Google Chrome and other web browsers have affected their compilers. “Major changes to the web browser codebase and the introduction of new JIT compilers inevitably lead to a large number of new vulnerabilities.” Chrome is working on its V8 sandbox to reduce such memory vulnerabilities, while Microsoft Edge’s approach does not leave it exposed in the same way. That’s why Microsoft has been promoting Edge as a more secure alternative to Chrome, taking advantage of warnings exactly like this..

The ironic twist here is that Kaspersky reports a Google vulnerability just as its software does. removed from the Google Play Store after its ban in the United States. Timing, as they say, is everything after all. Regardless, Kaspersky’s report exposes the danger of V8 memory vulnerabilities, and two more high-severity threats have already been fixed. Users should make sure to update to the latest version of the browser immediately.