Google has issued an emergency update to fix a “zero-day” vulnerability on its popular Chrome web browser, the first such threat it has discovered this year.
The patch has been released for Chrome applications installed on computers running on Microsoft Windows, Apple's Macs and Linux, though details of any attacks have yet to be disclosed, Google said in a blog post on Saturday.
The vulnerability was discovered by a member of Google's Threat Analysis Group on April 11.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” California-based Google said.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Why zero-day vulnerabilities are a big deal
A zero-day vulnerability is a software vulnerability in a system that has been discovered and disclosed, but has yet to receive a patch, or an update to fix it.
Because owners of systems affected by the vulnerability are unaware of the risk, no patch exists for zero-day vulnerabilities, meaning attacks are most likely to succeed, according to cyber security company Kaspersky.
As a result, these vulnerabilities can result in zero-day exploits, which is the method hackers use to attack systems that have been compromised with a previously unidentified vulnerability, and a zero-day attack, which is the use of a zero-day exploit to steal data or cause damage.
What is concerning is that it may take as long as several months to discover new vulnerabilities in systems, in most cases, after an attack has been consummated, and only then can developers work on a patch to fix it.
“And even once a zero-day patch is released, not all users are quick to implement it. In recent years, hackers have been faster at exploiting vulnerabilities soon after discovery,” Kaspersky said.
What are the implications?
Besides web browsers, zero-day vulnerabilities also put other computing systems at risk, including operating systems, applications, hardware, firmware, components used in open-source programs and even the Internet of Things.
All these systems are used by a variety of users, but the most noteworthy is that hackers can exploit zero-day vulnerabilities to attack high-profile targets, including financial institutions, governments, critical infrastructure and others with sensitive data that can be used for illicit financial gain, or to just simply cause chaos by damaging systems.
Among the viruses that can be released in a zero-day attack are malware, spyware and ransomware.
Why is an attack on Chrome a big deal?
Google's Chrome remains the most-used web browser in the world on all platforms, which include desktops, tablets and mobile, cornering nearly 65 per cent of the global market, data from Statcounter shows.
This means that there are about 3.3 billion users of Chrome, which is a very significant number that can be exploited by hackers.
Apple's Safari is a distant second with about 20 per cent, followed by Microsoft Edge (4.6 per cent), Mozilla Firefox (3 per cent) and Samsung Internet (2.6 per cent).
Most recent and notable zero-day vulnerabilities
Zero-day threats to Chrome are not new, and could be on track to occur less frequently this year. Google had to release patches for nine vulnerabilities in 2022, which was down from the 22 it discovered in 2021.
What is cyber crime and how can I protect myself online?
They are also not limited to web browsers. In 2020, Zoom was put at risk because of hackers remotely accessing a PC if it was running an older version of Windows. If the victim was an administrator, it was at risk of a complete takeover and file access.
Apple’s iOS for its iPhones is widely considered the most secure in smartphones, but it still fell for zero-day vulnerabilities in 2020. The California-based company, which owns the Safari browser, quickly released patches to stop the threats.
Microsoft fell victim in 2019 when the OS was exploited by hackers who accessed a “local privilege vulnerability”, targeting government institutions in Eastern Europe. In 2017, a similar attack hit its Word app, in which unsuspecting users opened a document with malware that gave hackers access to bank accounts. The tech company immediately released a patch in both cases.
