14 DAY TRIAL // Google has released a new security update for Google Chrome browser which includes several important patches, including mitigation for the Windows 10 vulnerability patched by Microsoft this week and discovered by the NSA.
The update to version 79.0.3945.130 on Windows, Mac, and Linux, includes a total of 11 security fixes, and the first is a critical use-after-free vulnerability in speech recognizer. This bug was reported by Antti Levomäki and Christian Jalio from Forcepoint in late October and is documented in CVE-2020-6378.
There are three security bugs coming with a “high” severity rating, including an extension message verification error reported by Sergei Glazunov of Google Project Zero on 2019-12-09.
One of the highlights, however, is the addition of protection to mitigate the Windows 10 vulnerability that was reported to Microsoft by the NSA.
A spoofing vulnerability in the Windows CryptoAPI can be used by attackers to run malicious code as a legitimate process, basically avoiding detection on an unpatched system.
“Important” security flaw
The flaw was given an “important” severity rating by Microsoft and was confirmed in all versions of Windows 10.
“An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.
“The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.”
The Google Chrome security update released today adds additional mitigation to allow the browser to perform further certificate checks when loading websites that could be used in exploits aimed at the NSA-discovered vulnerability.
Users are now recommended to update their Windows devices as soon as possible and to install security updates for third-party software, as it’s the case of the one for Chrome, immediately after release.