Google Chrome urged users to update in early March following the discovery of a zero day exploit in the browser’s fundamental code. Zero-day exploits refer to vulnerabilities that are not yet tested and addressed through software patches, an especially dangerous category of exploits if discovered by attackers rather than security firms.
The exploit in question was disclosed by an engineer with Google’s Threat Analysis Group. The exploit was not addressed in great technical detail but involves the manipulation of the browser’s use of memory as it is used and freed up by running processes. The exploit was revealed to have already been used by attackers for the purpose of escalating privileges in Chrome and escaping the native sandboxing. One of Chrome’s major innovations is running each web page as a self-contained, “sandboxed” process that cannot interact with other processes on the host’s computer. This prevents many of the common exploits in web hacking where the browser runs malicious programs embedded in a web page’s code, allowing exploitation of a user’s system. The ability of an exploit to circumvent the sandboxing and run or access files directly on the computer opens a wide variety of possible exploits and allows malicious code to take advantage of other vulnerabilities in a computer’s operating system or installed utilities.
Although Google reported the exploit has been used already on the internet the possibility of the issue being discovered first or primarily by security professionals is the most fortunate outcome. Dedicated and technically savvy cybercrime groups invest a great deal of energy in uncovering vulnerabilities in increasingly labyrinthine operating systems and utilities. The majority of cybercrime now emphasizes schemes with clear monetary reward such as using compromised systems to mine digital currencies or the ever-present ransomware threats embedded in spam emails. The business model of criminal and hacking groups changes almost as quickly as the technical playing fields in use to attack corporate and individual computers. The cost and severity of increasing cybercrime activity indicate the depth of knowledge brought to innovating in scams and attacks that can touch any digitally connected person.
Google revealed that the zero-day vulnerability was used in tandem with a privilege escalation issue in the venerable Windows 7. Privilege escalation, the use of tricks or security flaws to run programs that would otherwise be unauthorized or access protected files and services, is a key component of cyberattacks. When bundled with the remote access of a web browser an exploit hosted on a malicious website increases the ability of an attacker to spread and activate their malware exponentially. Google had released the patch addressing this Chrome memory access vulnerability earlier in the month on March 1st, only later revealing that included in the update was a fix for the zero-day exploit. It is likely with Chrome’s auto-update features few users would have gone unprotected. One key concern was for users who leave their system and web browser running, as Chrome would still be vulnerable after an update if not closed and restarted.
The complex and interlocking nature of computing will always lead to the discovery and exploit of new zero-day attacks. The financial returns on criminal exploits are only increasing the pace of development for malware and driving the discovery of more unaddressed vulnerabilities in business and personal systems. The best defenses remain instituting processes to automate updates on as many systems as possible, avoiding latent vulnerabilities, and to avoid suspicious websites that may be hosting malicious code. A good defense remains critical to security, especially in a world where the most devastating attacks are the hardest to predict.
