Google issues yet another Chrome security warning – is it safe for business use?

Confirming multiple new high-level hacks recently, Google issued its third warning this month, to all 2.65 billion Chrome users.
22 October 2021

Why have Google been issuing so many Chrome security warnings recently? Source: AFP

  • Google again reveals the latest security threats rated ‘High’ in its Chrome web browser — with vulnerabilities affecting users across all major operating systems
  • Experts reckon that it’s far too easy for hackers to keep exploiting insidious zero-days, as firms are not doing a good job of permanently shutting down flaws and loopholes

Once again, Chrome security has been compromised for the third time this month, and all 2.65 billion users were told to be on high alert, after Google confirmed multiple new high-level hacks of the browser. The alert came on the heels of Chrome’s 12th and 13th recorded ‘zero day’ exploits of the year.

To top it off, there were also four other serious vulnerabilities reported less than two weeks ago. The most recent one, per Google’s latest blog post, involved five vulnerabilities rated ‘High’, alongside 11 other flaws. The search engine behemoth’s standard practice in such scenarios is to buy time for Chrome users to upgrade, as Google restricts information about new hacks.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” is the company’s default stance each time there is a hack.

Hackers are infiltrating Google Chrome too often

The saga of never-ending zero-day hacks is emblematic of a much bigger problem in cybersecurity, according to research from Maddie Stone, a security researcher at Google. “It’s far too easy for hackers to keep exploiting insidious zero-days because companies are not doing a good job of permanently shutting down flaws and loopholes,” she said.

Stone is also a part of Project Zero, a Google security team. In her research, she spotlights multiple examples of this in action, including problems that Google itself has had with its uber-popular Chrome web browser

She reckons that across the industry, “Incomplete patches are making it easier for attackers to exploit users with zero-days. We’re not requiring attackers to come up with all new bug classes, develop brand new exploitation, look at code that has never been researched before. We’re allowing the reuse of lots of different vulnerabilities that we previously knew about.”

Over Project Zero’s six-year lifespan, the team has publicly tracked over 150 major zero-day bugs. In 2020 alone, Stone’s team documented 24 zero-days ((cyber vulnerabilities that were previously undocumented, and therefore unlikely to have a specific patch) that were being exploited—a quarter of which were extremely similar to previously disclosed vulnerabilities. 

Three were incompletely patched, which meant that it took just a few tweaks to the hacker’s code for the attack to continue working. Many such attacks, she says, involve basic mistakes and “low hanging fruit.”

Generally, attacks on Chrome have been particularly prevalent in recent months, and according to Forbes, most notably from a group of hackers calling themselves PuzzleMaker. “The group has been successful in chaining together Chrome zero-day bugs to install malware on Windows systems. Microsoft itself issued an urgent security warning for Windows users about this in June,” the writer said.

How to maintain the security of your Chrome browser?

Google released a critical Chrome update, version 95.0.4638.54, to combat these threats. To check if they are protected, users are required to check the version of Chrome browser and if it matches this version number or higher, they are safe. 

However, Google stated that the rollout of 95.0.4638.54 will be staggered, so enterprises with large numbers of devices may not be able to protect themselves immediately. Hence if the update is not yet available, users need to regularly check for the newest version. Once updated, restarting the browser is a crucial step to get everything up-to-date and cyber-protected. For now.