Multiple vulnerabilities in various technological developments were reported over the past few days. One of the reports that most caught the attention of the cybersecurity community this week concerns to the finding of a set of flaws in the Google Chrome browser; if exploited, these flaws would allow arbitrary code execution in the browser context, among other malicious tasks.
In addition, depending on the privileges associated with the application, threat actors might view, modify, and even delete user data. On the other hand, if the application was configured to have lower privileges on the system, exploiting vulnerabilities could have less impact on victims.
The security alert mentions that vulnerabilities could be exploited while users browse Chrome, or while being redirected to specially designed web pages. Below are the vulnerabilities found, alongside with their respective Common Vulnerability Scoring System (CVSS) keys.
- CVE-2020-6422: Use-after-free vulnerability in WebGL
- CVE-2020-6424: Use-after-free vulnerability in Media
- CVE-2020-6425: Insufficient policy enforcement in extensions
- CVE-2020-6426: Inappropriate implementation in V8
- CVE-2020-6427; CVE-2020-6428, CVE-2020-6429 and CVE-2020-6449: Use-after-free audio vulnerability
- CVE-2020-20503: Out-of-bounds reading in usersctplib
Successful exploit of the most critical security flaws could allow a remote threat actor to execute arbitrary code in the browser context, perform unauthorized actions, and even generate denial of service (DDoS) conditions.
Alternative solutions to mitigate the risk of exploitation are not known so far, so prominent members of the cybersecurity community have developed a list of security measures that can keep your Chrome deployment protected:
- Install the stable channel update, recently released by Google to fix this attack variant
- Run any application as a user without administrative privileges, which will reduce the impact in the event of exploitation
- Use website white lists to browse safely
- Apply the Minimum Privilege Principle to all systems and services used
Google states that, so far, there are no known cases of exploitation in the wild, although they strongly recommend that users follow security recommendations.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.