Latest news with #slonser
Forbes
28-05-2025
- Business
- Forbes
Google's New Chrome Update—Do Not Ignore June 5 Deadline
Why you need to update Chrome now NurPhoto via Getty Images Google has just updated Chrome again, warning that two high-severity vulnerabilities put PCs at risk. The 'use after free' and 'out of bounds' memory issues are typical for the browser, and while there are no attack warnings this time, these are the types of flaws often chained to other exploits to enable attacks. Details are scarce, as Google says 'access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed.' There are 11 fixes in total with the release of version 137.0.7151.55/56. The new high- and medium-severity fixes are as follows: Earlier this month, Google warned that Chrome had been actively exploited and issued an urgent fix for CVE-2025-4664. The company's confirmation 'that an exploit exists in the wild' followed a public disclosure on X from @slonser_ that a query parameter takeover could exploit sensitive data in a string which 'might lead to an Account Takeover' if the query parameter is stolen. Given attacks in the wild, America's cyber defense agency issued a mandatory warning for federal staff to update or stop using browsers by June 5. While that update instruction isn't mandatory for other users, you should follow suit and update by June 5. This vulnerability was openly disclosed from the get-go and is now in the public domain. That leaves browsers at risk until updates are applied. CISA's remit is 'to help [all organizations] As Cybersecurity News warns 'the vulnerability poses significant risks, including unauthorized data leakage across web origins… Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.' Remember, you need to restart your browser once the update has downloaded. As long as you have the current version, all past fixes will be applied and you will be protected.
Forbes
15-05-2025
- Forbes
Google Issues Chrome Attack Warning—Check Your Browser Now
New Chrome attack warning. Google has just ensured Microsoft won't take all the cyber attack headlines for itself this week, confirming Chrome users are also now at risk. Clearly given the browser's dominance across Windows, that's a double whammy for PC users. Google has issued a fix for CVE-2025-4664, warning it is aware 'of reports that an exploit exists in the wild.' This follows an X post from @slonser_ that 'a technique that's probably not widely known in the community' enabled a query parameter takeovers that could exploit sensitive data included in the string. 'In OAuth flows, this might lead to an Account Takeover' if the query parameter is stolen. We have seen warnings in recent weeks that attackers have been intercepting or tricking users into copying and pasting such security strings, hijacking a secure session that can then be replicated on another device. This tactic essentially two-factor authentication (2FA), when browsers have been used to access secure platforms. Google described the issue as an 'insufficient policy enforcement in Loader.' This is now in the public domain, making it critical that users update Chrome to 136.0.7103.113/.114 as soon as it's available. As ever, check your browser for the flag that an update has been downloaded, and then restart your browser to install it. Separately, Google is also copying a recent Microsoft update. Per @Leopeva64, again on X, 'Microsoft Edge detects when it has been launched with administrative privileges and, to minimize security risks, relaunches itself with standard user permissions, well, Microsoft is (once again) trying to incorporate this functionality into Chrome.' Absent this change, anything downloaded and run through Chrome adopts your administrator rights and can wreak havoc on your PC. Per Bleeping Computer, 'If you accidentally download and run a malicious file, it could execute with full system access, potentially compromising your entire OS without any warning.' Restricting this helps to contain the problem, albeit attackers look for other ways to elevate those privileges.
