Security News

Google has issued an update for its widespread Chrome browser to fix three security holes. Google, which is often vociferous about bugs and how they work, especially those found by its own Project Zero and Threat Analysis teams, is playing its cards close to its chest in this case.

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122.

A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability.

Google yesterday released a new critical software update for its Chrome web browser for desktops that will be rolled out to Windows, Mac, and Linux users over the next few days. The latest Chrome 80.0.3987.122 includes security fixes for three new vulnerabilities, all of which have been marked 'HIGH' in severity, including one that has been reportedly exploited in the wild.

This week we discuss why Google abruptly pulled more than 500 Chrome extensions from its Web Store, the case of a man held in custody for refusing to decrypt two hard drives, and research detailing a number of security holes in Bluetooth chipsets. Greg Iddon plays host and producer this week and is joined by fellow Sophos experts Paul Ducklin and Peter Mackenzie.

Google has removed more than 500 extensions from the Chrome Web Store after they were found performing covert data exfiltration activities. Independent security researcher Jamila Kaya and Cisco's Duo Labs originally identified a network of 70 copycat plugins with 1.7 million users that were infecting users' browsers and exfiltrating data.

Google has removed 500 Chrome extensions from its online store after researchers found that attackers were using them to steal browser data, according to a new report from security firm Duo Security. In a message to the researchers that it had removed the extensions, Google noted that it "Regularly sweeps to find extensions using similar techniques, code and behaviors and take down those extensions if they violate our policies."

Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising after installing themselves on the computers of millions of users. Depending on which way you look at it, that's either a good result because they're no longer free to infect users, or an example of how easy it is for malicious extensions to sneak on the Web Store and stay there for years without Google noticing.

Google has removed more than 500 Chrome extensions in response to a report from a security researcher, who found the browser plugins distributed through the Chrome Web Store facilitated ad fraud and data theft. Using a free extension forensic analysis tool called CRXcavator, released last year by Cisco's Duo Security, independent infosec bod Jamila Kaya spotted a set of similarly coded Chrome extensions "That infected users and exfiltrated data through malvertising while attempting to evade fraud detection on the Google Chrome Web Store," said Kaya, and Jacob Rickerd, a security engineer at Duo, in a blog post this week.

After researchers first identified 71 malicious extensions and reported their findings to Google, the tech giant then identified 430 additional extensions that were also linked to the malvertising campaign, they said. The extensions had almost no ratings on Google's Chrome Web Store, and the source code of the extensions are all nearly identical.