Google Chrome Update Deadline – You Have 72 Hours to Update Your Browser

Updated September 16 with a new CAPTCHA attack targeting Windows users.

The last few weeks have been busy for Chrome, with a ton of news for its 3 billion users to digest. And it would be all too easy to forget that the fast-approaching update deadline is just 72 hours away. Google has confirmed that attackers have actively exploited two dangerous security flaws in Chrome, and users can’t be left unprotected.

The first of these memory vulnerabilities was revealed in a Chrome update on August 21, and Google warned that CVE-2024-7971 was being actively exploited. The unpleasant surprise was that the second memory vulnerability fixed in the same update — CVE-2024-7965 — was also being targeted. Google confirmed this a week later.

ForbesSamsung Galaxy Deadline – 14 Days to Do This Before You Lose Your AppsBy Zak Doffman

The U.S. government’s Cybersecurity Agency has added both threats to its Known Vulnerabilities (KEV) list, ordering all federal employees to update Chrome by September 16 (and September 18 for the second patch) or stop using the browsers. And while CISA’s deadlines are only mandatory for government employees, many organizations are following its orders. Simply put, there are two actively exploited vulnerabilities, so update Chrome now if you haven’t since early September.

As CISA explains, it “maintains an authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as input to their vulnerability management prioritization framework.”

Since then, two updates have been released for the Chrome desktop browser, on September 2 and 10, respectively. Both patched serious security flaws, although neither has yet been confirmed to be actively exploited.

Ironically, given the spate of zero-day vulnerabilities — including this week’s Patch Tuesday — one of the high-profile Chrome browser vulnerabilities was discovered and disclosed by Microsoft, which attributes the attack to North Korean crypto hackers who linked the Chrome browser vulnerability to a (also now-patched) Windows zero-day vulnerability.

Microsoft suggested this as a reason for users to switch from Chrome to Edge, advising organizations to “encourage users to use Microsoft Edge and other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious sites, including phishing sites, scam sites, and sites that contain malware.”

ForbesNew Google Play Store Warning – Have You Installed These 50 ‘Dangerous’ Apps?By Zak Doffman

While I wouldn’t advise doing so, Microsoft’s warning that Chrome phishing lures need to be stopped at the source is key. And Google is taking steps of its own to do just that. Google assured this week that its “enhanced Safety Check feature will now run automatically in the background in Chrome, taking more proactive steps to keep you safe. It will also notify you about actions it takes, including revoking permissions for sites you no longer visit, flagging potentially unwanted notifications, and more.”

Microsoft just released its latest Microsoft Threat Intelligence podcast, which delves deeper into the North Korean threat behind its disclosure of CVE-2024-7971, shedding some light on the “surprising nature of recent attack chains involving a vulnerability in the Chromium engine.”

Chrome gets a lot of flak—that’s the downside of market dominance—but it deserves credit for its ongoing improvements; even if you have to overlook basic advertising and data collection via cookies. That makes a difference, as one astonishing exchange on X this week showed. Google’s crackdown on infostealers who exploit Chrome’s weaknesses is starting to close the door on a stable release. Although the exchange shows that the other side is clearly intent on finding new ways.

While the latest worldwide browser market share data shows that Edge is still growing its user base, it’s an extremely slow rate of growth. Statcounter reports a statistically insignificant increase from 13.75% in July to 13.78% in August of this year, although the year-over-year growth is more encouraging, with Edge up 11.15% year-on-year.

Updating Chrome to the latest version will address the two zero-day exploits, as well as fix anything that has been patched since then. As always, check to see if the update has been downloaded, then restart the browser to make sure it’s installed. If you’ve switched to Edge, you’ll need to do the exact same thing — both browsers are being actively exploited.

Sometimes the most dangerous threats hide in plain sight, and can strike even when you’ve done the right thing and updated. That’s certainly the case with a new warning for Chrome users, with a sneaky new attack targeting you to frustrate you into doing something you know you shouldn’t — making things worse.

How did he receive it? Beeping computerThis new attack — first revealed by OALABS Research — is “a new technique used by attackers to force victims to enter their browser credentials, allowing them to be stolen from the browser’s credential store using traditional data-stealing malware.”

ForbesSamsung updates millions of Galaxy phones to stop users from leavingBy Zak Doffman

The researchers explain that this opens the door to the StealC malware, which aims to steal Google account credentials. The attack tricks the browser into entering “kiosk mode” before “navigating to the login page of the target service, usually Google.” This kiosk mode is a full-screen web view, and the attack prevents you from exiting it or even leaving it.

“This tactic annoys the victim by forcing them to enter their credentials in order to close the window. Once entered, the credentials are stored in the browser’s credential storage on disk and can be stolen by stealer malware that is deployed with a credential stripper.”

How Beeping computer explains, since the regular keys have been disabled, “try other hotkey combinations, such as ‘Alt + F4’, ‘Ctrl + Shift + Esc’, ‘Ctrl + Alt + Delete’, and ‘Alt + Tab.'” If that doesn’t work, returning to the desktop, “Pressing ‘Win Key + R’ should open the Windows Command Prompt. Type ‘cmd’, then close Chrome with ‘taskkill /IM chrome.exe /F.'” Or, if that fails, hard restart your computer.

There’s a second nasty new threat for Chrome users that’s now hiding in plain sight, although it’s so stupidly simple it should be much easier to spot. Hopefully, if it hits your computer, you won’t fall victim and will shut it down quickly.

This attack uses a fake CAPTCHA and was first flagged by Palo Alto Networks’ Unit 42, but it didn’t get much attention at the time. Now, a video by researcher John Hammond is circulating on X that will boost ratings.

As researchers explain, “as of 2024-08-27, fake verification pages were created to distribute the Lumma Stealer malware. These pages have a button that, when clicked, displays instructions for victims to paste a PowerShell script into the Run window. This copy/paste PowerShell script downloads and executes the Windows EXE file for the Lumma Stealer malware. Associated Lumma Stealer EXE files download and use zip archives that do not appear malicious on their own.”

Lumma Stealer is an information thief that is often hired out as a nasty malware-as-a-service; it attacks user credentials and cryptocurrency wallets. As you can see in X’s video (below), it doesn’t look like your everyday CAPTCHA asking you to copy, paste, and enter a script. Honestly, if you’re not getting any alarm bells at this point, you might want to shut down your computer and take a break.

Hudson Rock’s Infostealers website reported the same attack two weeks ago, but again it didn’t get the attention it deserved. “Since late August 2024,” researchers warned, “attackers have used fake ‘human verification’ pages to trick users into executing a malicious PowerShell script.”

The CAPTCHA itself is delivered via source code on a malicious site that the user has visited. “This code clearly shows that when the verify button is clicked, the encrypted code is automatically copied to the clipboard.”

This code executes the mshta binary, “a legitimate Windows tool for executing HTML5 applications (HTAs) and serving embedded scripts… Because it is a trusted and signed binary by Microsoft, it often bypasses security filters, making it a prime candidate for use in ‘living off the land’ attacks. This technique allows attackers to execute malicious scripts without triggering alarms, since mshta.exe is typically not flagged by antivirus or endpoint protection systems.”

If you don’t manage to escape by then, the malware will execute another command to download the Lumma Stealer payload, “designed to steal sensitive information such as passwords, session tokens, cryptocurrency wallets, and other personal data from infected machines.”

Like Google’s full-screen kiosk login window, the goal here is to socially engineer an attack that hides behind the familiar, exploiting users’ trust in Google logins or captcha verification fields on a website. CAPTCHAs have become such an everyday part of the web experience that we tend to ignore them. And while they used to be very similar, we now see much more variety than before as “are you human” challenges evolve.

ForbesMicrosoft Issues New Update Warning to 70% of All Windows UsersBy Zak Doffman

And it’s likely to get worse. CAPTCHA, or “Completely Automated Public Turing Test for Distinguishing Computers from Humans,” will be one of many beneficiaries of the accelerating addition of more advanced AI to so much of what we do online and the ways we interact with our devices. While this attack is crude and easy to detect, we can expect to see much more sophisticated variations on this theme, especially as we all find our feet in this brave new world.

How PC Magazine warns, “Malicious CAPTCHAs can easily be distributed to targets by sending them phishing emails or phishing attacks. Therefore, users should be vigilant if they encounter any unusual CAPTCHA test requests that come their way; it could be a trap.”

All of this shows is that you can do everything you need to do — including updating as quickly as possible — and yet there’s a social engineering campaign out there looking to get your data. If Down If you fall victim to this or something similar, be sure to run an up-to-date virus scan on your computer before you continue using your computer normally.