Chrome Update Urged: Federal Deadline and Edge Advisory

As of September 3, Google Chrome users face an urgent update deadline following the discovery of two critical vulnerabilities actively exploited by cyber attackers. In response to these threats, the U.S. government has mandated that all federal employees update their Chrome browsers within the next 21 days. The situation has prompted Microsoft, which uncovered the first vulnerability, to advise users to consider switching from Chrome to alternative browsers.

The vulnerabilities, identified as CVE-2024-7971 and CVE-2024-7965, were first flagged by Google on August 21. The initial update addressed a range of security issues, including CVE-2024-7971, which was found to be under active exploitation. A subsequent advisory on August 26 revealed that CVE-2024-7965 had also been targeted by attackers after the initial warning. In response, the Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerability (KEV) catalog, setting a mid-September deadline for Chrome updates.

Microsoft’s security team, which discovered CVE-2024-7971, has recently issued a report linking the vulnerability to crypto thefts. The report attributes these attacks with “high confidence” to a North Korean threat actor known as Citrine Sleet. This group primarily targets financial institutions and individuals involved in cryptocurrency, seeking financial gain through fraudulent means. Citrine Sleet employs techniques such as creating counterfeit cryptocurrency trading platforms and luring victims into downloading malicious applications.

Microsoft recommends keeping Chrome, Edge, and other Chromium-based browsers updated but emphasizes the need for comprehensive security solutions that offer unified visibility across the cyberattack chain. Microsoft advises users to consider switching to Microsoft Edge, which supports Microsoft Defender SmartScreen, a feature that helps identify and block malicious websites, including phishing and malware sites. The recommendation for Edge over Chrome reflects Microsoft’s broader effort to enhance its own browser’s security profile, though it has faced criticism for promoting Edge through ads and other tactics targeting Chrome users.

Despite these recommendations, Chrome remains the dominant desktop browser, with a market share significantly higher than Edge. According to recent reports, Chrome continues to lead with more than four times the number of Edge users globally. Microsoft’s push for Edge highlights a strategic shift in the narrative from focusing on the vulnerabilities themselves to addressing the phishing lures that often precede attacks. This approach underscores the importance of protecting against the sources of exploitation.

Google’s Safe Browsing service has been updated to enhance its protection capabilities. Previously, Safe Browsing relied on a list stored on the user’s device, updated every 30 to 60 minutes. However, with the realization that many malicious sites exist for less than 10 minutes, Google now checks sites against a real-time server-side list of known bad sites. This update is expected to increase phishing attempt blocking by 25%.

The attacks exploiting CVE-2024-7971 have directed victims to a malicious domain, “voyagorclub[.]space,” where the zero-day remote code execution (RCE) exploit was deployed. This was followed by the installation of the FudModule rootkit, which disrupts kernel security mechanisms and performs kernel tampering through direct kernel object manipulation (DKOM). Microsoft has clarified that this rootkit operates exclusively from user mode and does not seem to be directly linked to the CVE-2024-38106 exploit, which was patched during August’s Patch Tuesday.

Citrine Sleet’s involvement in these attacks indicates a sophisticated threat, likely linked to North Korea’s cyber capabilities and focused on cryptocurrency hacking. The potential for these exploits to evolve into ransomware or espionage adds to the severity of the threat.

In response to the vulnerabilities, Google released an additional Chrome update on September 2, addressing two high-severity memory issues. The update, version 128.0.6613.119/.120, fixes vulnerabilities CVE-2024-8362 and CVE-2024-7970, which involve use-after-free and out-of-bounds write issues, respectively. Although no active exploitation warnings accompany this update, these types of vulnerabilities can lead to destabilizing system attacks or unauthorized code execution.

Microsoft’s push for users to switch to Edge has had minimal impact on Chrome’s dominance, with Edge currently holding around 13.78% of the market, compared to Chrome’s much larger share. Edge has shown some growth, with a 2.63-point increase year-over-year in August 2024, but it remains far behind Chrome.

As the security landscape evolves, both Chrome and Edge users must stay vigilant and ensure their browsers are updated to protect against active threats. While Microsoft’s recommendation to switch browsers reflects its competitive positioning, the key takeaway for all users is to prioritize timely updates and comprehensive security measures to mitigate the risks posed by these vulnerabilities.