Google Chrome is having a hard time with security right now because two different holes are being actively used. As a result of this situation, quick action has been taken, such as a government order for all federal workers to update their computers within 21 days.
Microsoft found and told the public about the first of these flaws. Now, the company has taken it a step further by saying that Chrome users might be better off using a different browser.
The first of these security problems is a bug called CVE-2024-7971 that was being used maliciously before Google put out a fix on August 21. The next day, on August 26, Google released another update that showed a second flaw, CVE-2024-7965, had also been hacked.
The Cybersecurity and Infrastructure Security Agency (CISA) has added both of these flaws to its Known Exploited Vulnerability (KEV) catalog. To protect against these threats, Chrome users must update their browsers by the middle of September.
The CVE-2024-7971 vulnerability was found and made public by Microsoft’s security team. The company has since released a thorough report claiming that a North Korean cyber group called “Citrine Sleet” used this flaw. This group seems to be after financial gain when they go after financial institutions and people who work with cryptocurrency.
According to Microsoft, Citrine Sleet makes fake websites that look like real cryptocurrency trade platforms. The bad apps are then spread through these websites, usually by pretending to be job applications or as weaponized cryptocurrency wallets and trade software.
Microsoft’s take on the Chrome attack
Microsoft knows how important it is to keep Chrome, Edge, and other Chromium-based websites up to date, but it also stresses the need for stronger security measures. It is recommended by the business to use security systems that let you see the whole chain of cyberattacks.
Microsoft specifically tells users to think about moving to Microsoft Edge or another browser that works with Microsoft Defender SmartScreen. This tool is made to find and stop harmful websites, such as those that spread malware, phishing, and other scams.
Microsoft says that Edge is safer than Chrome, especially when it comes to keeping users safe from malware. This point of view has been clear in Microsoft’s controversial ads, which often go after Windows users who have Chrome set as their preferred browser.
Even though the debate is still going on, the advice that users switch to Edge as part of a security advisory about a vulnerability that Microsoft itself revealed has caused some eyebrows to raise. This is because Chrome and Edge are competitors. Notably, Chrome is still the most popular browser in the world, with a much bigger share of the market than Edge.
The focus on Edge’s security features shows that the story is shifting from the vulnerabilities themselves to phishing and how to stop it in a wider sense. Microsoft says that Edge is better at stopping these threats at their source. In the meantime, Google has been working to make Safe Browsing better.
Safe Browsing used to find possibly dangerous sites or files by checking a list stored on the user’s device that was updated every 30 to 60 minutes. Google has admitted that this method is not enough, though, since the average rogue site is now only online for less than 10 minutes. Because of this, Google has switched to a real-time check method that it says will stop 25% more phishing attempts.
The things that Citrine Sleet does are part of a larger trend of cyber threats coming from North Korea, especially ones that involve stealing cryptocurrency. This is very dangerous because these kinds of cracks can quickly turn into more serious threats like ransomware or spying.
Since fixing the zero-day flaws, Google put out a new version of Chrome on September 2. This update fixes two more very serious security holes. It brings the stable desktop channel for Windows and Mac to version 128.0.6613.119/.120. You can find CVE-2024-7970, an out-of-bounds write vulnerability in V8, and CVE-2024-8362, a use-after-free vulnerability in Web Audio.
There have been no reports of these vulnerabilities being actively used, but they are still major problems that could cause the system to become unstable or allow malicious code to run if they are not fixed.
Microsoft is trying to get people to switch from Chrome to Edge, but it doesn’t seem to be having much of an effect on Chrome’s user base. According to new numbers, Chrome is still the most popular desktop browser, with Microsoft Edge coming in a very distant second.
Edge, on the other hand, has grown; its market share has gone up a little year over year. Google’s standing is still strong, in part because Chrome users don’t give up. Still, Microsoft’s case that corporate security officers should think about the browsers that are used on their networks as part of a unified security strategy is strong.