Most users are running outdated versions of Chrome that contain a recent zero-day vulnerability disclosure.
According to the information security company Menlo Security, although two-thirds of their customers use the latest version of Google Chrome (.86), 83% of all users of this browser work with outdated versions with unpatched zero-day vulnerabilities recently disclosed by Google. In this regard, we should expect an increase in the number of attacks exploiting these vulnerabilities, said Vinay Pidathala, director of security research at Menlo Security.
“There is no doubt that there are more attacks ahead of the Chrome browser that exploit these zero-day vulnerabilities. While attackers used to hunt Internet Explorer and Microsoft operating systems, they will now continue to target Chrome as it has become the most popular browser. We believe that they will continue to carry out targeted attacks to steal intellectual property or financial gain, ”Pidathala said.
These are five cybercriminal exploited zero-day vulnerabilities that Google has patched over the past few months:
CVE-2020-16009 and CVE-2020-16013 provide an attacker with browser access. Vulnerabilities allow malicious JavaScript code to bypass the sandbox created during launch, allowing an attacker to execute native code within the rendering process;
The exploitation of CVE-2020-15999 is based on the use of fonts on the sites visited by the victim. The component for processing downloaded fonts provides the attacker with access to the victim’s browser;
CVE-2020-16017 allows an attacker to take control of the browser and then gain access to files on the victim’s device;
CVE-2020-16010 allows an attacker to take control of the browser on an Android device and gain access to the files stored on it.
The question is, why do organizations often work with outdated browser versions? The point is that it is not always easy for security teams to deploy updates. A successful update relies on users restarting the browser, and many users do not waste time restarting. In addition, many businesses have legacy applications that only work with older browser versions.