#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Chrome | Breaking Cybersecurity News | The Hacker News

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Update Chrome Now: Google Releases Patch for Actively Exploited Zero-Day Vulnerability

Sep 28, 2023 Zero Day / Vulnerability
Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as  CVE-2023-5217 , the high-severity vulnerability has been described as a  heap-based buffer overflow  in the VP8 compression format in  libvpx , a free software  video codec  library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone  noting  on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals. No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild." The latest discovery b
Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116

Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116

Aug 11, 2023 Encryption / Browser Security
Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting  X25519Kyber768  for establishing symmetric secrets in  TLS , starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien  said  in a post published Thursday. Kyber was  chosen  by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing.  Kyber-768  is roughly the security equivalent of  AES-192 . The encryption algorithm has already been adopted by  Cloudflare ,  Amazon Web Services , and IBM. X25519Kyber768 is a hybrid algorithm that combines the output of  X25519 , an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections. "Hybrid mechanism
How to Find and Fix Risky Sharing in Google Drive

How to Find and Fix Risky Sharing in Google Drive

Mar 06, 2024Data Security / Cloud Security
Every Google Workspace administrator knows how quickly Google Drive becomes a messy sprawl of loosely shared confidential information. This isn't anyone's fault; it's inevitable as your productivity suite is purposefully designed to enable real-time collaboration – both internally and externally.  For Security & Risk Management teams, the untenable risk of any Google Drive footprint lies in the toxic combinations of sensitive data, excessive permissions, and improper sharing. However, it can be challenging to differentiate between typical business practices and potential risks without fully understanding the context and intent.  Material Security, a company renowned for its innovative method of protecting sensitive data within employee mailboxes, has recently launched  Data Protection for Google Drive  to safeguard the sprawl of confidential information scattered throughout Google Drive with a powerful discovery and remediation toolkit. How Material Security helps organ
Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability - Update Now!

Zero-Day Alert: Google Issues Patch for New Chrome Vulnerability - Update Now!

Jun 06, 2023 Browser Security / Vulnerability
Google on Monday released security updates to patch a high-severity flaw in its Chrome web browser that it said is being actively exploited in the wild. Tracked as  CVE-2023-3079 , the vulnerability has been described as a type confusion bug in the V8 JavaScript engine. Clement Lecigne of Google's Threat Analysis Group (TAG) has been credited with reporting the issue on June 1, 2023. "Type confusion in V8 in Google Chrome prior to 114.0.5735.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,"  according  to the NIST's National Vulnerability Database (NVD). The tech giant, as is typically the case, did not disclose details of the nature of the attacks, but  noted  it's "aware that an exploit for CVE-2023-3079 exists in the wild." With the latest development, Google has addressed a total of three actively exploited zero-days in Chrome since the start of the year - CVE-2023-2033  (CVSS score: 8.8) - Type Co
cyber security

Uncover Critical Gaps in 7 Core Areas of Your Cybersecurity Program

websiteArmor PointCyber Security / Assessment
Turn potential vulnerabilities into strengths. Start evaluating your defenses today. Download the Checklist.
Google Gets Court Order to Take Down CryptBot That Infected Over 670,000 Computers

Google Gets Court Order to Take Down CryptBot That Infected Over 670,000 Computers

Apr 27, 2023 Botnet / Cyber Crime
Google on Wednesday said it obtained a temporary court order in the U.S. to disrupt the distribution of a Windows-based information-stealing malware called  CryptBot  and "decelerate" its growth. The tech giant's Mike Trinh and Pierre-Marc Bureau  said  the efforts are part of steps it takes to "not only hold criminal operators of malware accountable, but also those who profit from its distribution." CryptBot is estimated to have infected over 670,000 computers in 2022 with the goal of stealing sensitive data such as authentication credentials, social media account logins, and cryptocurrency wallets from users of Google Chrome. The harvested data is then exfiltrated to the threat actors, who then sell the data to other attackers for use in data breach campaigns. CryptBot was  first discovered  in the wild in December 2019. The malware has been traditionally delivered via maliciously modified versions of legitimate and popular software packages such as Goog
Google Chrome Hit by Second Zero-Day Attack - Urgent Patch Update Released

Google Chrome Hit by Second Zero-Day Attack - Urgent Patch Update Released

Apr 19, 2023 Browser Security / Zero-Day
Google on Tuesday rolled out emergency fixes to address another actively exploited high-severity zero-day flaw in its Chrome web browser. The flaw, tracked as  CVE-2023-2136 , is  described  as a case of  integer overflow  in  Skia , an open source 2D graphics library. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on April 12, 2023. "Integer overflow in Skia in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,"  according  to the NIST's National Vulnerability Database (NVD). The tech giant, which also fixed seven other security issues with the latest update, said it's aware of active exploitation of the flaw, but did not disclose additional details to prevent further abuse. The development marks the second Chrome zero-day vulnerability to be exploited by malicious actors th
Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players' Systems

Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players' Systems

Feb 13, 2023 Game Hacking / Cyber Threat
An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems. The modes exploited a  high-severity flaw  in the V8 JavaScript engine tracked as  CVE-2021-38003  (CVSS score: 8.8), which was  exploited as a zero-day  and addressed by Google in October 2021. "Since V8 was not sandboxed in Dota, the exploit on its own allowed for remote code execution against other Dota players," Avast researcher Jan Vojtěšek  said  in a report published last week. Following responsible disclosure to Valve, the game publisher  shipped fixes  on January 12, 2023, by upgrading the version of V8. Game modes are essentially  custom capabilities  that can either augment an existing title or offer completely new gameplay in a manner that deviates from the standard rules. While publishing a custom game mode to the Steam store includes a vetting process from
Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Oct 12, 2022
Google on Wednesday officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome. "Passkeys are a significantly safer replacement for passwords and other phishable authentication factors," the tech giant  said . "They cannot be reused, don't leak in server breaches, and protect users from phishing attacks." The feature was  first announced  in May 2022 as part of a broader push to support a common passwordless sign-in standard. Passkeys, established by the FIDO Alliance and also backed by  Apple and Microsoft , aim to replace standard passwords with unique digital keys that are stored locally on the device. To that end, creating a passkey requires confirmation from the end-user about the account that will be used to log in to the online service, followed by using their biometric information or the  device   passcode . Signing in to a website on a mobile device is also a simple two-step process that en
Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

Experts Detail New RCE Vulnerability Affecting Google Chrome Dev Channel

May 27, 2022
Details have emerged about a recently patched critical remote code execution vulnerability in the V8 JavaScript and WebAssembly engine used in Google Chrome and Chromium-based browsers. The issue relates to a case of use-after-free in the instruction optimization component, successful exploitation of which could "allow an attacker to execute arbitrary code in the context of the browser." The flaw, which  was identified  in the Dev channel version of Chrome 101, was reported to Google by Weibo Wang, a security researcher at Singapore cybersecurity company  Numen Cyber Technology  and has since been quietly fixed by the company. "This vulnerability occurs in the instruction selection stage, where the wrong instruction has been selected and resulting in memory access exception," Wang said . Use-after-free flaws  occur  when previous-freed memory is accessed, inducing undefined behavior and causing a program to crash, use corrupted data, or even achieve execution
Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

Hackers Increasingly Using Browser Automation Frameworks for Malicious Activities

May 26, 2022
Cybersecurity researchers are calling attention to a free-to-use browser automation framework that's being increasingly used by threat actors as part of their attack campaigns. "The framework contains numerous features which we assess may be utilized in the enablement of malicious activities," researchers from Team Cymru  said  in a new report published Wednesday. "The technical entry bar for the framework is purposefully kept low, which has served to create an active community of content developers and contributors, with actors in the underground economy advertising their time for the creation of bespoke tooling." The U.S. cybersecurity company said it observed command-and-control (C2) IP addresses associated with malware such as  Bumblebee ,  BlackGuard , and  RedLine Stealer  establishing connections to the downloads subdomain of Bablosoft ("downloads.bablosoft[.]com"), the maker of the Browser Automation Studio (BAS). Bablosoft was previously
Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits

Cytrox's Predator Spyware Targeted Android Users with Zero-Day Exploits

May 20, 2022
Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell  said . Cytrox is alleged to have packaged the exploits and sold them to different government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, who, in turn, weaponized the bugs in at least three different campaigns. The commercial surveillance company is the maker of  Predator , an implant  analogous  to that of NSO Group's  Pegasus , and is known to hav
Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

May 12, 2022
Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome. "When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number," Google's Jen Fitzpatrick  said  in a statement. The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from  skimming attacks  wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market. The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer. Interestingly, while Apple offers an option to mask email addresses via  Hide My Email , which enables users to create unique, random email addresses to use with apps
Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw

Google Releases Urgent Chrome Update to Patch Actively Exploited Zero-Day Flaw

Apr 15, 2022
Google on Thursday shipped emergency patches to address two security issues in its Chrome web browser, one of which it says is being actively exploited in the wild. Tracked as  CVE-2022-1364 , the tech giant described the high-severity bug as a case of type confusion in the V8 JavaScript engine. Clément Lecigne of Google's Threat Analysis Group has been credited with reporting the flaw on April 13, 2022. As is typically the case with actively exploited zero-day flaws, the company acknowledged it's "aware that an exploit for CVE-2022-1364 exists in the wild." Additional details about the flaw and the identity of the threat actors have been withheld to prevent further abuse. With the latest fix, Google has patched a total of three zero-day vulnerabilities in Chrome since the start of the year. It's also the second type confusion-related bug in V8 to be squashed in less than a month - CVE-2022-0609  - Use-after-free in Animation CVE-2022-1096  - Type confusio
Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

Mar 26, 2022
Google on Friday shipped an out-of-band security update to address a high severity vulnerability in its Chrome browser that it said is being actively exploited in the wild. Tracked as  CVE-2022-1096 , the zero-day flaw relates to a type confusion vulnerability in the V8 JavaScript engine. An anonymous researcher has been credited with reporting the bug on March 23, 2022. Type confusion errors, which arise when a resource (e.g., a variable or an object) is accessed using a type that's incompatible to what was originally initialized, could have serious consequences in languages that are not  memory safe  like C and C++, enabling a malicious actor to perform out-of-bounds memory access. "When a memory buffer is accessed using the wrong type, it could read or write memory out of the bounds of the buffer, if the allocated buffer is smaller than the type that the code is attempting to access, leading to a crash and possibly code execution," MITRE's Common Weakness Enum
Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions

Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions

Jan 27, 2022
A financially-motivated malware campaign has compromised over 800 WordPress websites to deliver a banking trojan dubbed Chaes targeting Brazilian customers of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago. First documented by  Cybereason  in November 2020, the info-stealing malware is delivered via a sophisticated infection chain that's engineered to harvest sensitive consumer information, including login credentials, credit card numbers, and other financial information. "Chaes is characterized by the multiple-stage delivery that utilizes scripting frameworks such as JScript, Python, and NodeJS, binaries written in Delphi, and malicious Google Chrome extensions," Avast researchers Anh Ho and Igor Morgenstern  said . "The ultimate goal of Chaes is to steal credentials stored in Chrome and intercept logins of popular banking websites in Brazil." The attack sequence is triggered when users visit one of the infected websites
Chrome Limits Websites' Direct Access to Private Networks for Security Reasons

Chrome Limits Websites' Direct Access to Private Networks for Security Reasons

Jan 17, 2022
Google Chrome has announced plans to prohibit public websites from directly accessing endpoints located within private networks as part of an upcoming major security shakeup to prevent intrusions via the browser. The proposed change is set to be rolled out in two phases consisting of releases Chrome 98 and Chrome 101 scheduled in the coming months via a newly implemented W3C specification called private network access ( PNA ). "Chrome will start sending a  CORS  preflight request ahead of any private network request for a subresource, which asks for explicit permission from the target server," Titouan Rigoudy and Eiji Kitamura  said . "This preflight request will carry a new header, Access-Control-Request-Private-Network: true, and the response to it must carry a corresponding header, Access-Control-Allow-Private-Network: true." What this means is that starting with Chrome version 101, any website accessible via the internet will be made to seek explicit permi
Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities

Google Releases New Chrome Update to Patch Dozens of New Browser Vulnerabilities

Jan 06, 2022
Google has rolled out the first round of updates to its Chrome web browser for 2022 to fix 37 security issues, one of which is rated Critical in severity and could be exploited to pass arbitrary code and gain control over a victim's system. Tracked as  CVE-2022-0096 , the flaw relates to a  use-after-free bug  in the Storage component, which could have devastating effects ranging from corruption of valid data to the execution of malicious code on a compromised machine. Security researcher Yangkang ( @dnpushme ) of Qihoo 360 ATA, who has previously disclosed  zero-day vulnerabilities  in Apple's WebKit, has been credited with discovering and reporting the flaw on November 30, 2021. It's also worth pointing out that 24 of the 37 uncovered flaws came from external researchers, including its Google Project Zero initiative, while the others were flagged as part of its ongoing internal security work. Of the 24 bugs, 10 are rated High, another 10 are rated Medium, and three
Windows 10, Linux, iOS, Chrome and Many Others at Hacked Tianfu Cup 2021

Windows 10, Linux, iOS, Chrome and Many Others at Hacked Tianfu Cup 2021

Oct 18, 2021
Windows 10, iOS 15, Google Chrome, Apple Safari, Microsoft Exchange Server, and Ubuntu 20 were successfully broken into using original, never-before-seen exploits at the Tianfu Cup 2021, the fourth edition of the international cybersecurity contest held in the city of Chengdu, China. Targets this year  included  Google Chrome running on Windows 10 21H1, Apple Safari running on Macbook Pro, Adobe PDF Reader, Docker CE, Ubuntu 20/CentOS 8, Microsoft Exchange Server 2019, Windows 10, VMware Workstation, VMware ESXi, Parallels Desktop, iPhone 13 Pro running iOS 15, domestic mobile phones running Android, QEMU VM, Synology DS220j DiskStation, and ASUS RT-AX56U router. The Chinese version of Pwn2Own was  started  in 2018 in the wake of government regulation in the country that barred security researchers from participating in international hacking competitions because of national security concerns. With the exception of Synology DS220j NAS, Xiaomi Mi 11 smartphone, and an unnamed Chine
Google to turn on 2-factor authentication by default for 150 million users

Google to turn on 2-factor authentication by default for 150 million users

Oct 06, 2021
Google has announced plans to automatically enroll about 150 million users into its two-factor authentication scheme by the end of the year as part of its ongoing efforts to prevent unauthorized access to accounts and improve security. In addition, the internet giant said it also intends to require 2 million YouTube creators to switch on the setting, which it calls two-step verification (2SV), to protect their channels from potential takeover attacks. "2SV is strongest when it combines both 'something you know' (like a password) and 'something you have' (like your phone or a security key)," Google's AbdelKarim Mardini and Guemmy Kim  said  in a post, adding "having a second form of authentication dramatically decreases an attacker's chance of gaining access to an account." The rollout follows the  company's proposals  to beef up account sign-ins earlier this May, when it said it intends to "automatically enrolling users in 2SV i
Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

Apr 14, 2021
Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation. One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the  Pwn2Own 2021  hacking contest last week. While Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a  working exploit  over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release. UPDATE:   Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest vers
New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

Mar 03, 2021
Exactly a month after  patching  an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild. Chrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an "object lifecycle issue in audio." Tracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available. With no additional details, it's not immediately clear if the two security shortcomings are related. Google acknowledged that an exploit for the vulnerability exists in the wild but stopped short of s
Cybersecurity Resources