Chrome users beware, attacks on Google’s browser are increasing rapidly and now multiple new hacks have been confirmed, reports Forbes.
Vulnerabilities
Google published the news in a new blog post, where it revealed an eye-popping 25 new vulnerabilities have been discovered in the last two weeks. It rates seven of these as ‘High’ level threats. Linux, macOS and Windows users are all affected and need to take immediate action.
Chrome has run into further trouble after numerous reports from users that the new version (96) breaks access to major sites like Instagram, Twitter, Discord and more. Users receive the message:
“Something went wrong. Try reloading.” When pages reload, they are often missing key elements like images, embedded videos and pages even render in the wrong color.
Google itself has acknowledged these issues, with Google product manager Craig Tumblison confirming: ”We’re continuing to see user reports about this behavior, including reports from our social team.”
Measures taken
Several workarounds have been attempted and disabling a new embedding feature introduced in Chrome 96 has improved things for some users, though not all. At this stage, it is unknown if Google can apply a fix remotely without having to release a new version of Chrome.
Either way, it leaves Chrome users in a difficult position with the choice of waiting and leaving known security vulnerabilities in the browser (details below) or updating and potentially breaking their browsing experience.
Google has now confirmed that disabling the new embedding feature will fix the issue for most users
About the new high level threats
As is standard practice, Google is currently restricting information about these hacks to buy time for Chrome users to upgrade. Consequently, looking at the new High level threats, we only have the following information to go on:
- High – CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29
- High – CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26
- High – CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16
- High – CVE-2021-38006: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-08-17
- High – CVE-2021-38005: Use after free in loader. Reported by Sergei Glazunov of Google Project Zero on 2021-08-18
- High – CVE-2021-38010: Inappropriate implementation in service workers. Reported by Sergei Glazunov of Google Project Zero on 2021-10-28
- High – CVE-2021-38011: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-11-09
These hacks follow a familiar pattern, with ‘Use-After-Free’ exploits once more making up the majority of attacks. Successful UAF exploits topped 10x in both September and October and have been the cause of several ‘zero-day’ hacks as well.
UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed.
What You Need To Do
In response to these new threats, Google has released a major new update for Chrome, version 96.0.4664.45. Be warned, Google states that “this will roll out over the coming days/weeks” which means you may not be able to protect yourself immediately.
To check if you are protected, navigate to Settings > Help > About Google Chrome. If your Chrome browser is listed as 96.0.4664.45 or higher, you are safe. If the update is not yet available for your browser, make sure you check regularly for the new version.
After updating, you must restart your browser to be protected. This step is often overlooked. It is to Google’s credit that fixes for high level attacks are consistently released within days of their discovery, but they are only effective if billions of users subsequently restart their browsers.
For anyone hesitant to update, the carrot is Chrome 96 also adds “back forward cache” which accelerates page loading times by storing a version of your most recently visited page(s) in memory.
The stick is Google confirmed in July that there had already been more successful browser hacks by mid-2021 than in the whole of 2020.
Did you subscribe to our daily Newsletter?
It’s Free! Click here to Subscribe
Source: Forbes