If you have seen any cybersecurity headlines over the past week, chances are you saw some references to Google Chrome and a few different vulnerabilities that have recently plagued it. Chrome may be your go to browser, but since Microsoft’s Edge is based on the same code base, both browsers tend to have the same vulnerabilities and problems. Today, we’ll reconsider the world’s most popular browser and let you know what you need to do to use it safely. Before anything else, if you haven’t yet heard of the vulnerabilities that we’ll discuss in this first section, skip to the last numbered point of this post to manually update Chrome or Edge if you haven’t in the past few days or weeks.
Zero-day Vulnerabilities
One of the reasons why there has been so much hype about the recent Chrome vulnerabilities is that they are zero-day vulnerabilities-bugs in the code that let attackers take advantage of them for a certain amount of time before being found out and addressed. When researchers find zero-day vulnerabilities in software, it’s either through their own testing (trying to see what they can break to help make things more secure) or by observing an exploitation of the vulnerability by someone who is actively attacking users.
The most recent vulnerability being talked about is CVE 2024-7971, which is the ninth zero-day that Google has needed to patch this year. This vulnerability was reportedly used by a North Korean hacking group with a specific interest in gaining access to cryptocurrency. The flaw was used in conjunction with a recently patched Windows vulnerability (CVE 2024-38106) that allowed an attacker to gain system privileges to run any code they’d like. While few details of how this vulnerability was exploited are available, for most of these kinds of vulnerabilities all it would take is to click a link to a particular bad-guy website with the malicious code on it to fall victim to the exploit.
The Bad News…
is that this is all business as usual for a web browser. Fundamentally, browsers take on so much of the workload for all of our everyday computing that they need to have a lot of moving parts to get the job done. Looking at the list of this year’s Google zero-day patches, you can see that the JavaScript engine is a common theme. It’s just one of many parts of the browser with a great deal of complex code involved, so it’s natural that issues and vulnerabilities will pop up.
Place these long-standing, well-understood libraries in between you and the internet and there are bound to be attack after attack after attack on the code. With a whole economy built around data theft and exploitation, attackers will continue to find clever ways to trick browsers into giving them the keys to the castle. There’s always a certain amount of determination and incentive that a hacking group can leverage to find these vulnerabilities. But…
The Good News…
is that major browser makers-Google, Microsoft, and Apple-are typically very responsive to these vulnerabilities and fix them quite quickly. Part of this might just be the way they announce them (usually alongside the fix), but they don’t have an interest in having an insecure product that makes the internet a less-safe place. Typically, by the time anyone has heard of the vulnerability in question an update is being pushed to browsers to fix the problem. The vulnerabilities are often somewhat straightforward to fix, since they have to do with programming errors in the code and languages that cause errors that can be exploited.
As with most security concerns, the main goal to stay ahead of the hacking groups is to keep your software up-to-date. Modern browsers are typically very easy to fix, since they auto-update by default. If you keep your tabs open a lot, you’ll likely see the Update button appear up near the menu and profiles every so often. Any time you do see this button, it’s because Chrome has an update ready, but hasn’t restarted in a while. When you push the button, it updates instantaneously and reopens your open tabs.
Good Practices for Keeping Your Browser Up-To-Date
It’s pretty important to let the browser update itself in this fashion. As mentioned, leaving the browser open for long stretches of time can stop it from updating with a critical patch, at least until you close the browser. It’s a good idea to get into the habit of closing the browser at least once a day for this reason.
1) A good routine might be taking a moment at the end of the working day and just looking at everything that you’ve got going in the browser when you go to wrap up. If you can get back to everything easily, then there’s no reason to not close the browser.
In fact, if you close the whole window-not just each tab-you can easily get all of your tabs back open when you reopen the browser. Simply go to the menu (three dots) and history, then restore session.
Reopening your tabs works in Chrome, Edge, Safari, and Firefox, and it will bring back all of your tabs-but often with them being refreshed. This is a healthy way to continue your work, providing both the opportunity for the browser to update if it needs to, and gives better performance than having tabs sitting idle for hours or days at a time. If you have to sign back in to some, just remember that the slight inconvenience-even of dealing with your authenticator app or DUO-is just a token of your commitment to security.
2) If you’re comfortable using the command line, I recommend Winget as a way to keep all of your software updated, even a great deal of third-party apps. Using it is the fastest and easiest way to make sure that any available updates are installed on your desktop.
If you’ve got reminders set for different business tasks, this can be a good weekly task that will keep most of the software on your machine up-to-date. This includes browsers like Chrome and Edge, and other third-party apps like your password manager, any remote desktop clients (which is just as important as keeping your browser updated), and other software that you likely don’t go out of your way to update regularly.
3) When you do hear of a Chrome or Edge security vulnerability, update the browser manually. Do this by going to the menu (three dots in the top right corner), select Settings, and choose About Chrome in the left pane.
Visiting this page will trigger the update process to run right now, then ask you to relaunch to finish the updating process. Doing this ensures that you have the best protection possible and keeps you ahead of the most recent known vulnerabilities.
Crown Computers recommends Microsoft’s Intune for device management. With cloud management tools, your MSP can manage the updating of important 3rd party updates like these ones. Alongside Office 365, Entra ID, and other cloud technologies, you could have fewer updates to worry about and keep your devices and network more secure. If you’re interested in these services, just reach out to us to schedule a meeting!
-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team