URGENT: Update Chrome NOW! (1 Viewer)

[Gromett]

There is not much detail because any discussion of the detail would give too much information to bad actors. This usually indicates that it is trivial to exploit and serious in nature.
UPDATE NOW!!

Latest Version is: 112.0.5615.121

 

[LesW]

Nothing on the Google Chrome page in the play store.

That's where updates are usually shown.

 

[Phill D]

i clicked on the 3 dots to right top corner , settings, then typed in update it showed new update and loaded.

 

[kevenh]

Nothing on the Google Chrome page in the play store.

That's where updates are usually shown.

Start Chrome, Goto "Help" {via Phill D 's "the 3 dots to right top corner" } then choose "About Google Chrome"
Updates auto install from there

edit: How "About Chrome" looks after the patch: -

 

[Odd job]

I've updated my phone, did I need to?

^{_{Subscribers  do not see these advertisements}}

 

[Boringfrog]

Nothing on the Google Chrome page in the play store.

That's where updates are usually shown.

I think it's for desktop PC.

 

[kevenh]

I've updated my phone, did I need to?

Is it a Google phone or one running from Java?

I think you're OK
If you've a Chrome browser there, look at it's installed version yyy

 

[Boringfrog]

I think it's for desktop PC.

Although there looks like there's an update for Android too.Link

 

[kevenh]

From Grom's linked article: -

Users are recommended to upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. Users of Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

 

[Gromett]

My phone had an update, my Linux desktop also required one.

I will check my windows install next time I boot it.

^{_{Subscribers  do not see these advertisements}}

 

[Coolcats]

Check all your software and update regularly or if your someone who forgets set it to auto update that way it’s not an issue

 

[Odd job]

I've done my main PC too I'll do the other one when I next use it.

Thank you Gromett for the warning

 

[kevenh]

My Edge had a patch available now

but maybe one is inbound asap from this MS update today {Last updated April 15, 2023}:

Microsoft is aware of the recent exploits existing in the wild. We are actively working on releasing a security fix.

 

[Boringfrog]

My phone had an update, my Linux desktop also required one.

I will check my windows install next time I boot it.

My phone did have an update, but not too the latest version.

 

[Verteuil Man]

Chrome Releases

Release updates from the Chrome team

chromereleases.googleblog.com

^{_{Subscribers  do not see these advertisements}}

 

[GJH]

Check all your software and update regularly or if your someone who forgets set it to auto update that way it’s not an issue

Exactly. Get into the habit of at least being notified of update availability (and act on it) plus put in place an adequate backup regime for your usage and most (at least) problems can be avoided.

 

[GoldenVision]

Updated - thanks

 

[Gromett]

Seeing some discussion that this is a live exploit and some of the big boys are taking it extremely seriously.

By which I mean, think of a big company, they have many staff with laptops and desktops. IT depts being called in to force updates and track systems that are not reachable to force it. Sounding serious?

But these are just rumours nothing confirmed. But it is not often it gets blown up like this.

 

[Coolcats]

Seeing some discussion that this is a live exploit and some of the big boys are taking it extremely seriously.

By which I mean, think of a big company, they have many staff with laptops and desktops. IT depts being called in to force updates and track systems that are not reachable to force it. Sounding serious?

But these are just rumours nothing confirmed. But it is not often it gets blown up like this.

a large organisation will have automated systems to do the update, if they treat security seriously which many do, the endpoints can only connect to the internet via a vpn via the organisations intranet which means when the remote device connects a force update happens, it’s all automated which means there is not a need for large IT departments as the management and security systems do all the work.

Corporate Management and security software is big business and means much smaller IT departments, one person can install the security update which will update all corporate endpoints when they connect and that can be 10s of thousands of PC’s as an example.

 

[Gromett]

a large organisation will have automated systems to do the update, if they treat security seriously which many do, the endpoints can only connect to the internet via a vpn via the organisations intranet which means when the remote device connects a force update happens, it’s all automated which means there is not a need for large IT departments as the management and security systems do all the work.

Corporate Management and security software is big business and means much smaller IT departments, one person can install the security update which will update all corporate endpoints when they connect and that can be 10s of thousands of PC’s as an example.

Not debating this with you. I deal with this stuff for a living. I have contact with large corporates who have called in their IT staff. And yes I am fully aware of how the Windows systems operate on this front. You appear to have some knowledge in this area so understand that BYOD creates issues and with contractors coming and going, internal staff with fully registered systems are not the only concern.

^{_{Subscribers  do not see these advertisements}}

 

[Coolcats]

Not debating this with you. I deal with this stuff for a living. I have contact with large corporates who have called in their IT staff. And yes I am fully aware of how the Windows systems operate on this front. You appear to have some knowledge in this area so understand that BYOD creates issues and with contractors coming and going, internal staff with fully registered systems are not the only concern.

If a corporate takes security seriously then BYOD may not be able to connect to core systems, they may be able to pick up emails or have a secure app, but unlike a corporate provided device they will not have full system access. So for example a BYOD may have access to say a pricing or product tool through a managed app but may not have browser access to the intranet via a browser, in which case the corporate may not care about the BOYD browser as it’s only the app that has connectivity and isolated as such.

SAP and Cisco Meraki are examples of companies that provide security products for BOYD

Yes there are people here who do have IT experience within the corporate world.

 

[TheBig1]

Thankyou Karl appreciate the heads up

 

[Gromett]

If a corporate takes security seriously then BYOD may not be able to connect to core systems, they may be able to pick up emails or have a secure app, but unlike a corporate provided device they will not have full system access. So for example a BYOD may have access to say a pricing or product tool through a managed app but may not have browser access to the intranet via a browser, in which case the corporate may not care about the BOYD browser as it’s only the app that has connectivity and isolated as such.

SAP and Cisco Meraki are examples of companies that provide security products for BOYD

Yes there are people here who do have IT experience within the corporate world.

I am not debating this with you. I am telling you IT depts have been called in. If you choose not to believe me then that is up to you.

As for BYOD not being an issue. BYOD device may not be forced to do policy based updates so they can/do have old versions of chrome running. They probably will be in the firewall DMZ and restricted from sensitive apps or other internal systems. BUT they will still have access to corporate emails for example and will then be in a position for spear phishing or intelligence gathering if compromised.

This is my last post on the subject. If you don't believe me or disagree that is your prerogative.

 

[Chris]

I was contacted yesterday by our head of IT and told to change my password. Don’t know if that was connected to all this but they don’t usually work on a Saturday.

 

[Coolcats]

I am not debating this with you. I am telling you IT depts have been called in. If you choose not to believe me then that is up to you.

As for BYOD not being an issue. BYOD device may not be forced to do policy based updates so they can/do have old versions of chrome running. They probably will be in the firewall DMZ and restricted from sensitive apps or other internal systems. BUT they will still have access to corporate emails for example and will then be in a position for spear phishing or intelligence gathering if compromised.

This is my last post on the subject. If you don't believe me or disagree that is your prerogative.

Its an interesting topic Grommet, I suspect if IT departments have been called in it won't be just for a Chrome update, there will be other security issues going on, we have seen Virgin, Vodaphone networks being disrupted along with WD shutting access for days. It would be a bit lame for IT departments to be called in just for a browser upgrade as they will have device management and security policies in place, which include forced browser / software upgrades security patches and forced password resets (password resets should be forced every x period anyway) . I suspect it more of an overall review of the organisations security, given the Russian situation cyber attack from multiple perspectives is probably more on thier minds.

You highlight BOYD which is a challenge for any organisation, but again policies can (and do need) be in place, rather than me blathering on there is as you know a pleather of info out there on how to keep organisations safe with management and security tools.

The Ultimate Guide to BYOD Security: Definition & More​

• Further Reading on BYOD:​

  • BYOD Security: Expert Tips on Policy, Mitigating Risks, & Preventing a Breach
  • BYOD security policy: Mitigate BYOD risk with device requirements
  • Bring Your Own Device: Security and risk considerations for your mobile device program
  • BYOD: Why the biggest security worry is the fool within rather than the enemy without
  • The Future of BYOD: 6 Key Trends for 2020
  • Survey: BYOD security remains spotty, with users unaware or unmotivated about risks
  • Best Practices to Make BYOD, CYOD and COPE Simple and Secure
  • A Look at BYOD Environments and the Role They Play During the COVID-19 Pandemic
  • Half of U.S. businesses have no formal BYOD policy for security
  • BYOD Security: 5 Ways CIOs Can Securely Embrace BYOD
  • -Broken Link Removed-
  • BYOD: IT’s Security Nightmare or a Dream Come True?
  • Link Removed
  • -Broken Link Removed-
  • -Broken Link Removed-

So yes it is interesting to discuss but understand if you want to shut the discussion down that's fine by me.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

So yes it is interesting to discuss but understand if you want to shut the discussion down that's fine by me.

I am not wanting to shut it down. I have told you IT depts have been called in due to this. I have this from a trusted source. If you don't want to believe me that is fine.
But there is nothing to discuss as far as I am concerned. I will leave you to it.

 

[dunnah01]

I still run Win 7 so that's me stuffed

 

[Coolcats]

I have told you IT depts have been called in due to this.

Thanks for the telling Gromett, in my mind I very much doubt it’s just for a browser upgrade the teams would be in every time there was a browser security issue which in many ways is not unusual, I suspect it’s a broader security review which may be linked to Chrome and other concerns

 

[Gromett]

Thanks for the telling Gromett, in my mind I very much doubt it’s just for a browser upgrade the teams would be in every time there was a browser security issue which in many ways is not unusual, I suspect it’s a broader security review which may be linked to Chrome and other concerns

You can suspect all you want. I have it from the horses mouth that they have been called in specifically because of this.

For those not of a technical type may find this interesting.

Attack details not yet disclosed​

The high-severity zero-day vulnerability (CVE-2023-2033) is due to a high-severity type confusion weakness in the Chrome V8 JavaScript engine.

The bug was reported by Clement Lecigne of Google's Threat Analysis Group (TAG), whose primary goal is to defend Google customers from state-sponsored attacks.

Google TAG frequently discovers and reports zero-day bugs exploited in highly-targeted attacks by government-sponsored threat actors aiming to install spyware on devices of high-risk individuals, including journalists, opposition politicians, and dissidents worldwide.

Although type confusion flaws would generally allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.

While Google said it knows of CVE-2023-2033 zero-day exploits used in attacks, the company has yet to share further information regarding these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

This will allow Google Chrome users to upgrade their browsers and block attack attempts until technical details are released, allowing more threat actors to develop their own exploits.

Google Chrome emergency update fixes first zero-day of 2023

Google has released an emergency Chrome security update to address the first zero-day vulnerability exploited in attacks since the start of the year.

www.bleepingcomputer.com

 

[dunnah01]

Finally managed to downgrade to Win 10 despite Microsoft. Now need to spend another week deleting all the bloat

^{_{Subscribers  do not see these advertisements}}