Security

“Operation WizardOpium” Google Chrome Zero-Day Exploit: Update Now

chase-clark-HKKM537I_Ik-unsplash.jpg

As an avid Google user (manage around ten Chromebit’s and multiple Gmail accounts at work, not to mention my personal accounts and hardware), I try to stay as current as I can with new security alerts and software updates. While I first learned about and fixed this potentially-problematic event a few days ago, I now have the time to share my thoughts about it all.  Late Halloween night, Google managed to deliver the only real scare I received in the form of an urgent update intended to patch an actively exploited zero-day. The exploit, CVE-2019-13720, is a use-after-free bug in Chrome’s audio component. Use-after-free vulnerabilities are a form of memory corruption flaw which can be utilized by hackers to execute arbitrary code, but often, this tends to just cause a program to crash.

Operation WizardOpium was found by two Kaspersky malware researchers, Alexey Kulaev and Anton Ivanov. Per Kaspersky, the zero-day was utilized to install malware on user devices, with a designated verdict of Exploit.Win32.Generic.

What to Do?

Safeguarding your hardware and Chrome accounts is quite a simple process. As someone who tends to wait a few days before installing a new update (to allow others to find flaws and provide time for fixes), the 78.0.3904.87 Chrome update is not something I could postpone. As soon as we heard about the necessary Chrome update, I went around to each computer and Chromebit to check if the update was applied automatically and then manually checked for any available updates. I applied the same fixes to my personal devices.

Below, are the steps for manually checking for/installing updates in Google Chrome.

Chrome on Windows

  1. Navigate to the top right corner of your screen and select the three vertical dots (Customize and control Google Chrome).
  2. Towards the bottom of the new window, select Settings.
  3. On the left side of the new screen, select About Chrome at the end of the list.
  4. Finally, directly under Google Chrome, you will see either ‘Google Chrome is up to date’ or ‘Check for updates’. If your Chrome is already updated, no further steps are necessary; if not, simply select ‘Check for updates’ and if there is one available, it will then download. Note: you will have to restart your Chrome instance, so be sure to save/finish any current work.
  5. You can also enforce auto-updates, which can be a good idea if you are not prone to checking update releases.

Chrome on Android Device

  1. Similar to updating any mobile app, go to Google Play Store.
  2. Open the side menu by pressing the icon at the top left of the screen (to the left of the search bar).
  3. Select My apps & games.
  4. Locate Google Chrome and tap on Update.
  5. You can also enforce auto-updates, which can be a good idea if you are not prone to checking update releases.

Chrome on iPhone & iPad

  1. Open the App Store.
  2. At the top right of your screen, select Profile.
  3. Scroll down to Available Updates, and then search for Chrome.
  4. Tap on Update.
  5. If necessary, enter your Apple ID password.

Chrome on Asus Chromebit

  1. Typically, if there is an available update, there should be a system update icon in the bottom right corner of the screen; if this appears, select Restart to update.
  2. If the above system update icon does not appear and you wish to manually check for an update, select Settings (Gear icon) at the bottom right corner of the screen.
  3. On the settings page, select About Chrome OS.
  4. Finally, directly under Google Chrome, you will see either ‘Google Chrome is up to date’ or ‘Check for updates’. If your Chrome is already updated, no further steps are necessary; if not, simply select ‘Check for updates’ and if there is one available, it will then download. Note: you will have to restart your Chrome instance, so be sure to save/finish any current work.
  5. You can also enforce auto-updates, which can be a good idea if you are not prone to checking update releases.

Summary

Although exploits such as CVE-2019-13720 can be intimidating, the likelihood of an attack on the average user is quite low. However, keeping devices up to date with new releases and updates is always recommended, at least with your personal devices. When it comes to the decision on whether to update multiple devices at once in a business setting, there are several vital things to consider, including possible downtime, risk of bugs/errors, and the availability of personnel.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s