Google Chrome Zero-Day: What Are The Risks?

Tuesday, March 19, 2019

Sam Bocetta


Google Chrome has long been considered one of the most reliable, effective, functional and secure web browsers. So when the news of a “zero-day” recently arrived, users were naturally concerned.

The biggest threat of zero-day is not that it was drawn up by online users that like to gossip, but actually spread across the internet by Google’s own engineers.

It is rare that Google admits to such vulnerabilities, though it was satisfying to see them own up when they realized potential exposure.

What is Google Chrome zero-day and what does it mean to your own personal devices? What are the security threats? That’s what we’re going to discuss in this article:

Why is Google Chrome Zero-Day A Big Deal?

After engineers at Google urged users to patch earlier this month when a new vulnerability known as zero-day (CVE-2019-5786) was announced to the public it quickly became aware that Google was referring to a full exploitation that escapes the sandbox and leads to remote code execution.

In the IT world, being able to exploitate a sandbox entirely and lead to remote code execution is quite a feat, especially when dealing with one of the most powerful technological companies in the world.

In fact, it is so rare that the feat is rarely achieved only in settings like a Pwn2Own competition, and rarely in actual life.

Furthermore, according to the individual at Google who first discovered the attack, he believes that another zero-day threat exists in Microsoft Windows and at the time of this publication has not yet been patched.

The engineer basically suggested that he believed the two zero-day attacks could be linked which would produce even further complications.

How Can You Avoid Zero-Days?

The first step is to check what version of Google Chrome you are using for your web browser. If the version is below 72.0.3626.121, your computer is vulnerable to an attack. Yes, Google does feature an automatic update component, however, in order to successfully install the new patch - you must restart the browser.

The last part cannot get emphasized enough. Why? As studies have indicated a good portion of online users are known to keep their tabs opened for days or weeks without ever feeling the need to restart a browser. The problem is, the new patch cannot get incorporated into the security system until the user makes a full restart.

Even if you are worried about losing your tabs, you will not so long as A) you update Google Chrome to its latest version and B) relaunch the browser. Google saves your tabs that were already pulled up even after you close the browser, so they will come right back up.

How Is Google Chrome Zero-Day Impacted By The Third Party Software Injections Ban?

The timing of the zero-day attack has a certain sense of irony given that it comes at a recent point where Google started banning third-party software injections.

The news was not exactly welcomed by a number of Chrome users as approximately two-thirds of them say they use other applications on their devices that also interact with Chrome.  

In the past, software was required to inject code into Chrome in order to function properly. The injection led to an increase in crashes, which is why Google announced they would start blocking third-party software.

The noticeable difference is Microsoft-signed code, accessibility software, and IME software, which is still allowed by Google Chrome. If you remember from earlier in the article, the engineer that discovered zero-day also warned of potential exposure on Microsoft Windows too.

Should You Leave Chrome Altogether?

While the recent Google Chrome zero-day attack is noteworthy and disconcerting for millions of Chrome browsers, it is also not the end of the world. Google still has a really strong track record for having some of the most secure platforms on the web, especially for a company its size.

Google is constantly targeted by the major players (hackers, cybercriminals, etc) and consistently wards off serious threats. Yes, Chrome got exposed through the most recent vulnerabilities yet it was able to quickly diagnose the situation and send out a public announcement as soon as possible.

Though some claim that Firefox is still the better browser, and the most recent negative news from Google may cause more online users to convert from Chrome to Firefox, the browser is still heavily reliable.

How Can You Remain Safe With Chrome?

In addition to having a safe and secure browser you should also take the necessary steps to find a reliable host. Your host works hand in hand with your browser in order to deliver the most secure connections to the internet.

Many other like keeping their browsing habits and personal information private by utilizing a VPN app. However, make sure you are aware of the most recent VPN scams that make false promises about what security they provide and are not always encrypted.

Other simple steps to make sure your browser is safe and secure include:

  • Configure your browser’s security and privacy settings.

  • Sign up for alerts so you can quickly get notice on vulnerabilities like the recent Google Chrome zero-day.

  • Always exercise caution when installing new plugins.

  • Check to make sure you have an AV installed.

  • Install security plugins when available (so long as they are allowed by Google).

While Google has made it more difficult for third-party software injections to work successfully with Chrome, having as much compatibility between your antivirus software and the browser are as important as ever.

Final Thoughts

In the case with Google Chrome zero-day there is no workaround. However, if you know your device is not below version 72.0.3626.121, and have restarted the browser, you should be good to go.

The bug is now officially squashed and without a vulnerability to exploit, the exploit is no longer a threat. Patching is the best case scenario for handling the latest attack on Google Chrome. Just make sure it’s completely updated and restarted.

Possibly Related Articles:
Operating Systems Viruses & Malware
Chrome vulnerability CVE-2019-5786
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.