The US Cybersecurity and Infrastructure Security Agency
(CISA) is advising companies, institutions and regular users to update their
Google Chrome browsers to the latest version as soon as possible.
Given the dominant position of Google Chrome in the Internet
browser market, it makes sense for CISA to get involved when there’s a significant
risk. Google Chrome is widely used in institutions, companies, and by the
public, so the government takes seriously any vulnerability that could pose a
security risk.
The latest update for Google Chrome, 80.0.3987.162, doesn’t
seem like much, but it comes with fixes for three high-severity
vulnerabilities. None of them have been detailed, which is not unusual. As
people upgrade their Chrome browsers to the latest version, more information
will be released.
“Multiple vulnerabilities have been discovered in Google
Chrome, the most severe of which could allow for arbitrary code execution.
These vulnerabilities can be exploited if a user visits, or is redirected to, a
specially crafted web page,” says CISA in its advisory.
Technically, if these vulnerabilities (CVE-2020-6452,
CVE-2020-6451, and CVE-2020-6450) were exploitable, attackers would be able to
execute arbitrary code in the context of the browser, which would grant them
the ability to view, change and delete data.
Several mitigation tactics are available. The first is, of
course, upgrading the Internet browser. It’s also a good idea that users
running the browser don’t have administrative privileges, and to keep in mind
not to visit un-trusted websites or follow links provided by unknown or untrusted
sources.
Also, users should abstain from clicking on links in emails
or attachments that don’t come from trusted sources. The good news is that
there’s no evidence any of these high-severity vulnerabilities are being
exploited in the wild.