The US Cybersecurity and Infrastructure Security Agency (CISA) is advising companies, institutions and regular users to update their Google Chrome browsers to the latest version as soon as possible.
Given the dominant position of Google Chrome in the Internet browser market, it makes sense for CISA to get involved when there’s a significant risk. Google Chrome is widely used in institutions, companies, and by the public, so the government takes seriously any vulnerability that could pose a security risk.
The latest update for Google Chrome, 80.0.3987.162, doesn’t seem like much, but it comes with fixes for three high-severity vulnerabilities. None of them have been detailed, which is not unusual. As people upgrade their Chrome browsers to the latest version, more information will be released.
“Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page,” says CISA in its advisory.
Technically, if these vulnerabilities (CVE-2020-6452, CVE-2020-6451, and CVE-2020-6450) were exploitable, attackers would be able to execute arbitrary code in the context of the browser, which would grant them the ability to view, change and delete data.
Several mitigation tactics are available. The first is, of course, upgrading the Internet browser. It’s also a good idea that users running the browser don’t have administrative privileges, and to keep in mind not to visit un-trusted websites or follow links provided by unknown or untrusted sources.
Also, users should abstain from clicking on links in emails or attachments that don’t come from trusted sources. The good news is that there’s no evidence any of these high-severity vulnerabilities are being exploited in the wild.