Security News
A new Android malware that impersonates the Google Chrome app has spread to hundreds of thousands of people in the last few weeks, according to researchers. The fake app is being used as part of a sophisticated hybrid cyberattack campaign that also uses mobile phishing to steal credentials.
Google this week announced yet another set of patches for Chrome, to address a total of 19 vulnerabilities affecting the web browser. In its advisory, Google made no mention of any of these vulnerabilities being exploited in live attacks.
In the latest move to improve the privacy of the Chrome browser, Google is adding support for a new HTML tag that prevents user tracking by isolating embedded content from the page embedding it. To prevent this, Google is adding a new form of embedded iframe called a "Fenced frame" to isolate the embedded content and not allow it to see the user data of the embedding page.
Microsoft has reportedly paused the development of Windows 10X, its Chrome OS competitor for single-screen and dual-screen devices. Unlike Windows 10, Windows 10X was supposed to be simple, sleek, faster, and more secure.
Version 90 of Google's Chrome browser includes a bit of extra security for users of recent versions of Windows and the latest x86 processors, in the form of hardware-enforced stack protection. This basically means that, if your PC supports it, it's a bit harder for malicious websites to exploit bugs in Chrome to hijack your computer.
Starting in version 90, Chrome for Windows improves resilience against vulnerability exploitation by adopting Hardware-enforced Stack Protection. Together with existing protection measures, the Stack Protection should mitigate a variety of exploitation techniques, but could affect stability if it is not compatible with software that loads itself into Chrome.
Google Chrome now hinders attackers' efforts to exploit security bugs on systems with Intel 11th Gen or AMD Zen 3 CPUs, running Windows 10 2004 or later. This is possible after the adoption of Intel's Control-flow Enforcement Technology, supported on Windows 10 computers through an implementation known as Hardware-enforced Stack Protection which adds enhanced exploit protection to all compatible devices.
As more companies and independent developers are switching to Progressive Web Apps as their preferred solution for native apps, Microsoft and Google are slowly adding new PWA features to improve the web apps experience on Windows and other platforms. For those unaware, Progressive web app, or PWA, is the latest web technology that allows anyone to use web sites as native mobile or desktop apps.
Google's Chrome browser has several security vulnerabilities that could pave the way to multiple types of attacks, including a V8 bug that could allow remote code execution within a user's browser. Liu told SecurityWeek that the bug is somewhat mitigated by the fact that it doesn't allow attackers to escape the sandbox where Chrome runs, meaning attackers can't reach any of the other program, data and applications on the computer.
An update released this week by Google for Chrome 90 patches yet another serious vulnerability affecting the V8 JavaScript engine used by the web browser. Liu told SecurityWeek that the flaw can be exploited for remote code execution in the targeted user's browser, but noted that, similar to other recently disclosed V8 vulnerabilities, it does not escape the Chrome sandbox - a sandbox escape bug is needed to exploit CVE-2021-21227 in real world attacks.