The flaw is tracked under Chromium issue ID 466192044—and that’s about all Google is sharing publicly. No CVE, no component name, no details on who’s targeted or by whom. Classic security playbook: give users time to patch before handing attackers a roadmap.

What We Know About the Vulnerability

While Google kept the details under wraps, a GitHub commit reveals that the issue lives in ANGLE—Google’s open-source Almost Native Graphics Layer Engine, which handles graphics rendering in Chrome.

The commit message hints at a buffer overflow vulnerability in ANGLE’s Metal renderer, triggered by improper buffer sizing. In practical terms, this could lead to memory corruption, browser crashes, or—worst case—arbitrary code execution. The kind of bug that lets attackers do more than crash your browser tab.

This marks the eighth zero-day vulnerability in Chrome that’s been either actively exploited or publicly demonstrated since the start of 2025. The others include CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Additional Fixes in This Update

Google also addressed two other medium-severity bugs:

• CVE-2025-14372 — Use-after-free vulnerability in Password Manager
• CVE-2025-14373 — Inappropriate implementation in Toolbar

Use-after-free vulnerabilities are a favorite among attackers because they allow manipulation of memory that’s already been released—potentially leading to code execution or data theft.

That said, the lack of attribution means we don’t know if this is state-sponsored activity, a targeted campaign against specific organizations, or something broader. Given Chrome’s market dominance, even a narrow exploit can have significant reach.

How to Protect Yourself

Update Chrome immediately to version 143.0.7499.109/.110 for Windows and macOS, or 143.0.7499.109 for Linux. Here’s how:

1. Open Chrome and click the three-dot menu (⋮) in the top right
2. Go to Help → About Google Chrome
3. Chrome will automatically check for updates and download the latest version
4. Click Relaunch to complete the update

If you’re using other Chromium-based browsers like Microsoft Edge, Brave, Opera, or Vivaldi, keep an eye out for their respective patches—they all share the same underlying Chromium code.

The Bigger Picture

Browser security has become increasingly critical as we spend more time online and browsers handle everything from banking to healthcare to corporate applications. An exploited browser vulnerability, especially one in a graphics rendering engine, can be weaponized through malicious websites—no download required.

This is why patching matters. Unlike phishing attacks that rely on tricking users, zero-day exploits can compromise systems silently. You don’t need to click a suspicious link or download a sketchy file—just visiting a compromised webpage could be enough.

The fact that 2025 has already seen eight Chrome zero-days speaks to both the browser’s popularity (it’s an attractive target) and the intensity of modern threat research. Whether these exploits are discovered by researchers or threat actors first is often a race against time.

Update your browser. It takes 30 seconds and might save you a whole lot of trouble.

The post Google Patches Chrome Zero-Day Under Active Attack — Update Now appeared first on Gridinsoft Blog.

What’s Actually Happening Here?

Think of this error as your browser having a trust crisis. It’s essentially saying, “I don’t trust this website’s security credentials, so I’m not letting you in.” This happens when there’s an issue with the site’s SSL certificate – that little padlock icon that tells you a connection is secure.

The most common causes include expired security certificates, misconfigured website settings, or your computer’s clock being way off (yes, really). Sometimes it’s a sign of something more sinister like a man-in-the-middle attack, where someone’s trying to intercept your data. But most often? It’s just a technical hiccup.

Quick Fixes for “Your Connection is Not Private” Error

Despite looking like a major crisis, this error is usually fixable with some simple steps. Let’s start with the easy ones before you throw your device out the window.

1. The “Did You Try Turning It Off and On Again?” Approach

Check for typos in the URL – sometimes “amazom.com” isn’t the retail giant you were hoping for. Try refreshing the page with F5 or the refresh button. Sometimes the internet just has a momentary brain freeze.

2. Fix Time Travel Issues (System Date/Time)

Your computer’s date and time matter more than you’d think. If your device thinks it’s still 2019 or living in the future, SSL certificates will look either expired or not yet valid. SSL certificates are time-sensitive creatures.

For Windows: Right-click on the clock → Adjust date/time → Enable “Set time automatically” and hit “Sync now.” Your PC might just be living in the wrong timezone or decade.

For Mac: System Settings → General → Date & Time → Check “Set time and date automatically.” Your Mac will sync with time servers and rejoin the present.

3. Go Incognito (Not Just for Shopping Gifts)

Sometimes your browser’s saved data is causing conflicts. Incognito mode strips away all the baggage and gives you a clean slate. It’s like putting your browser in witness protection – no history, no cookies, no problems.

4. Clean Out the Digital Junk Drawer (Clear Browser Cache)

Browsers collect cache and cookies like your grandma collects ceramic figurines – and sometimes they need to be cleared out. This digital decluttering often resolves connection issues and gives your browser a fresh start.

Chrome Cache Clearing

In Chrome: Menu (three dots) → Settings → Privacy and security → Clear browsing data. Select “Cookies” and “Cached images and files” and hit that Clear button like you mean it.

Firefox Cache Clearing

In Firefox: Menu → Settings → Privacy & Security → Clear History. Delete those cookies and cached web content to give Firefox a clean slate.

Edge Cache Clearing

In Edge: Menu → Settings → Privacy, search, and services → Choose what to clear. Select your digital debris and click “Clear now” to sweep it all away.

5. Check for Rogue Extensions

Browser extensions can be like well-intentioned but clumsy friends – sometimes they break things while trying to help. Check for outdated or suspicious extensions that might be interfering with your secure connections.

6. Try the WWW Magic Trick

Sometimes websites have different SSL certificates for their “www” and non-www versions. Adding “www.” to the beginning of the URL might just solve your problem. It’s the digital equivalent of “have you tried jiggling the handle?”

7. Update All the Things (Browser & OS)

Outdated browsers are like expired milk – they both lead to unpleasant experiences. Check if your browser needs updating by going to Settings → About. If you see an update button, click it and let the magic happen.

Don’t forget your operating system too. On Windows, go to Start → Settings → Windows Update → Check for updates. On Mac, visit System Settings → General → Software Update to get the latest fixes.

Specific Error Solutions by Device Type

Mobile Devices: When Your Phone Gets Trust Issues

This error isn’t just a desktop problem – mobile devices get it too. For Android users, the fixes are similar: check your date/time, clear Chrome data, and update your browser. The error often pops up more on public WiFi networks that use captive portals or require logins.

For iPhone users, go to Settings → General → Date & Time and make sure “Set Automatically” is enabled. Then try clearing Safari’s browsing data through Settings → Safari → Clear History and Website Data.

WiFi Issues: Public Networks and Connection Problems

Public WiFi is notorious for triggering these errors. Many public networks use “captive portals” that intercept secure connections to show you login pages. Try visiting a plain HTTP site first to trigger the login page, then return to your HTTPS site.

On home networks, try resetting your router if you’re seeing this error on multiple devices. A simple power cycle (unplug, wait 30 seconds, plug back in) can sometimes clear up strange connection issues.

Security Software Conflicts

When Your Security Software Gets Overprotective

Sometimes your antivirus or VPN is the problem. Security software can intercept secure connections to scan for threats, but in doing so, they can trigger these errors. It’s like your bodyguard tackling the mailman because they didn’t recognize the uniform.

Try temporarily disabling your VPN or checking your antivirus settings for features like “HTTPS scanning” or “web shield.” These features mean well, but sometimes they break secure connections instead of protecting them.

The “Attackers Might Be Trying to Steal Your Information” Warning

When Chrome adds “Attackers might be trying to steal your information” to the error, it sounds terrifying. This usually happens on public WiFi networks that intercept connections or when there’s actual malware involved. If you’re on public WiFi, this is fairly common and isn’t always cause for panic.

However, if you see this at home on your regular network, it’s worth checking for malware. Certain types of malicious software can hijack your connections and trigger these warnings.

Malware Check: When Private Connection Errors Persist

If none of the fixes work, malware might be tampering with your secure connections. Some sneaky programs hijack SSL certificates to spy on your traffic. Your browser, being the good guard dog it is, barks loudly when it detects these fake certificates.

How to Scan for Certificate-Hijacking Malware

Running a thorough malware scan is your best bet here. GridinSoft Anti-Malware can detect and remove threats that might be causing these certificate errors. It not only cleans up existing threats but also provides ongoing protection against future certificate hijacking attempts.

Step-by-Step Guide to Removing SSL-Hijacking Malware

Follow these steps to scan your system and remove any malware that might be causing your connection issues:

Step 1: Download and Install GridinSoft Anti-Malware

Start by downloading a anti-malware solution like GridinSoft Anti-Malware. Our tool is specifically designed to detect and remove various types of malware, including those that interfere with your secure connections.

Step 2: Run a Full System Scan

After installation, launch the program and select “Full Scan” to thoroughly check your entire system. This comprehensive scan will examine all files, including those that might be hidden or disguised as legitimate system files.

The scan may take some time depending on your system size and speed, but it’s important to let it complete without interruption. A thorough scan is crucial for finding deeply embedded threats that might be causing your SSL certificate issues.

Step 3: Review and Remove Detected Threats

Once the scan completes, you’ll see a list of any detected threats. Pay special attention to items categorized as “PUP” (Potentially Unwanted Program), “Trojan,” or “Spyware” as these are common culprits for certificate hijacking.

Click the “Clean Now” button to remove all detected threats. In some cases, you might need to restart your computer to complete the removal process.

Step 4: Verify Your Connection

After removing the malware, restart your browser and try accessing the website again. If the certificate issues were caused by malware, you should now be able to connect without seeing the “Your connection is not private” error.

For ongoing protection against similar threats, consider enabling GridinSoft’s real-time protection features. This will help prevent future infections that might compromise your secure connections.

The Bottom Line

“Your connection is not private” errors are like car alarms – annoying but usually trying to protect you. In most cases, a simple browser refresh, cache clearing, or date adjustment will solve the problem. If those don’t work, consider the possibility of network issues or malware.

Remember that this error is actually your browser trying to keep you safe, even if its methods are sometimes dramatic. It’s better to have an overly cautious browser than one that lets you wander into dangerous territory without warning.

And if all else fails? Maybe it’s the universe telling you that you’ve spent enough time online today. Go outside, touch some grass, and try again later. The internet will still be there when you get back.

The post “Your Connection is Not Private” Error: When Your Browser Gets Trust Issues appeared first on Gridinsoft Blog.

Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking

Researchers at Morphisec Threat Labs discovered a malicious campaign targeting Chinese-speaking audiences. Victims searching for Google Chrome are redirected to a fake website, which offers a ZIP file containing a malicious executable (“Setup.exe”).

Experts say that the attackers have intensified their focus on high-value corporate positions, particularly in finance, accounting, and sales. This indicates a shift toward targeting individuals with access to sensitive data and critical business systems, who are quite expected to be the target.

Once executed, the installer checks for administrative privileges and downloads additional payloads. These include a legitimate Douyin/TikTok executable (“Douyin.exe”), which is used for DLL sideloading. A DLL file (“Tier0.dll”) is responsible for launching ValleyRAT, while another DLL file (“Sscronet.dll”) is designed to terminate specific processes on an exclusion list.

DLL hijacking is used to execute malicious code via legitimate executables. The attacker takes advantage of signed programs that are susceptible to DLL search order hijacking. This includes popular applications like WPS Office and Tencent software, as well as game-related binaries from Steam titles such as Left 4 Dead 2 and Killing Floor 2.

ValleyRAT Details

Current sample of the ValleyRAT written in C++ and compiled in Chinese. It operates as a remote access trojan with several malicious functionalities and includes keystroke logging to record user inputs and store them in a hidden file (“sys.key”). The malware captures screen activity using Windows API functions like EnumDisplayMonitors.

To maintain persistence, it creates a hidden executable (“GFIRestart64.exe”) and adds registry entries. Additionally, it employs anti-VM detection by scanning for specific processes and system attributes to avoid analysis. The malware establishes a connection with a C2 server to receive commands, execute arbitrary binaries, and exfiltrate data.

ValleyRAT is designed to monitor and control infected systems, enabling attackers to deploy additional malicious plugins for further damage. It can install additional malware, take screenshots, log keystrokes, download or steal files, and execute commands remotely. This allows cybercriminals to spy on victims, steal sensitive data, or use compromised machines for further attacks.

New Attack Vectors

A notable change in Silver Fox’s tactics is the use of new phishing websites, such as anizom[.]com and karlost[.]club, to distribute the malware. The latter impersonates a Chinese telecom provider to increase legitimacy.

In previous campaigns, Silver Fox relied on malicious scripts (.bat and .ps1) to deploy RATs like GhostRAT and Purple Fox. The current attack demonstrates a shift towards more deceptive techniques, using fake software installers combined with DLL hijacking.

ValleyRAT injects malicious code into the legitimate Windows process “svchost.exe” to avoid detection. This is a common tactic for average malware. The malware stores its core components in an encrypted form within files like mpclient.dat.

Additionally, it evades security mechanisms by hooking critical Windows security functions such as AmsiScanString, AmsiScanBuffer, and EtwEventWrite. This effectively disables security monitoring features, making detection significantly more difficult. Given its focus on high-value corporate targets, businesses should adopt strict software download policies and monitor for unusual DLL loading behaviors to mitigate such threats.

How to Protect Against Malware?

The most effective protection against trojans is two things: vigilance during web surfing and reliable anti-malware software. In first case, it is essential for users to avoid suspicious sites like pirated content (programs, games, content) as well as online advertisements.

What about the second, anti-malware software would be the second line of defense if the first one didn’t work for some reason. I recommend considering GridinSoft Anti-Malware. Its functionality is capable of providing worthy protection from the threat and neutralize the threat before it will be downloaded and deployed.

The post Fake Google Chrome Downloading Sites Distribute ValleyRAT appeared first on Gridinsoft Blog.

uBlock Origin Gets Removed from Chrome Web Store

On October 13, 2024 the listing of uBlock Origin extension in Chrome Web Store got the additional line on top, saying that it will soon lose support “because it doesn’t follow best practices for Chrome extensions”. Translating from the bureaucratic language, Google may soon remove the plugin from the store, for reasons that are yet to be disclosed by the company. The link provided in the notice leads to a boilerplate page saying about removing extensions that do not follow the best practices on privacy and security. Also, attentive users have noticed this exact notification in the Extensions tab of the browsers almost two monts ago, back in August 2024.

uBlock Origin is among the most popular ad blocking plugins, with a user base of over 39 million. It has proven itself effective on the majority of websites, including YouTube. The latter has become a tough nut for some of the ad blockers after the recent changes to the site, and became one of the reasons why the plugin had experienced a massive influx of users.

And this capability, along with its overall high efficiency has probably become the reason why Google decided to kick it out of the Web Store. At least, this is what users suspect is a reason. The version looks especially trustworthy if we have a look at the company’s activities targeted at combating ad blocking on their platforms. This touches all browser extensions dedicated to making the ads disappear, not only uBlock Origin.

Google War Against Ad Blockers Is Unrolling

All the situation is likely a part of covert campaign that Google pulls out to fight ad blocking plugins. Sure, the restrictions on browser extensions, specifically on which website content and how they can work with, have quite significant reasoning behind it. Phishing browser plugins, that remain a rather widespread kind of in-browser malware, use the absence of such restrictions in Manifest v2 to collect user input from different elements on the website. Same element scanning and interaction, though with a different outcome, is used by ad blockers.

And that is where the main problem stems from. As Web Manifest v3 gets unrolled, Google will start removing or otherwise disrupting the functionality of quite a few anti-advertising browser extensions. Once again, this perfectly aligns with the company’s recent strategy on making ads impossible to remove, parcularly from one of their main advertising platforms – YouTube. It started detecting the active ad blocker plugin and displaying the corresponding message to the user, saying that only a few will be available to watch ads-free.

Main relief here is the fact that not all browsers are forced to comply with this new set of rules. Nonetheless, Google holds a monopoly on the web browser market, thus breaking key mechanics that allow ad blockers to work can and will impact the majority of Internet users. And that is what shakes the community so much.

In my personal opinion, online advertising is not a bad thing in its essence. Brands need to show themselves, and Google (along with other ad providers) let them do so. But the way these promotions are stuffed into the content does not boost the user experience. Even more so, considering massive amounts of ads from untrustworthy sites, and even outright scams appearing in Google Ads, disabling ad blockers will create a clear threat to user safety.

Can I Use uBlock Origin in the Future?

Sure enough, you can. Unless you have it installed in the browser, it will function just fine, as it receives updates independently from Chrome Web Store. But should you lose this plugin in any way (say, by resetting the browser or accidentally deleting it), it will be gone for good. Some may suggest getting an installer from a third party, but such manipulations are a risky idea at its very core, with huge possibilities for impersonation attacks and malware distribution.

There are alternatives though, that will keep functioning even after and even if uBlock gets deleted. uBlock Origin Lite, an extension from the same developer, is designed to comply with Manifest v3, and is still capable of stopping the ad storm. Still, its efficiency is significantly lower, with the main impact of changes being noticeable on how fast the plugin removes advertisements from pages. Also, there’s no guarantee that it will work fine with the main concern of quite a few people, YouTube.

A much less complicated way of solving the issue will be switching to a different web browser, the one which does not take Manifest v3 into account. Among the obvious choices are Firefox and Brave, as they are not even based off of Chromium core, meaning there are not ties to Google whatsoever. And the majority of browser extensions are present here, too, with the similarly convenient ways to install them.

The post uBlock Origin Plugin May Be Disabled, Google Warns appeared first on Gridinsoft Blog.

Managed by your organization – what is the problem?

Managed by your organization is the line in the web browser that is displayed when the remote management policy is enabled in the browser configurations. By design, this feature aims to protect the browsers running on corporate workstations or industrial IoT devices from unintended changes. But, same as quite a lot of restrictive techniques, it is a double-edged sword.

As it prevents users from making changes to browser settings, this configuration is often a target of abuse from browser hijackers like a PrimeLookup Extension. In particular, such a technique is often used by browser hijackers. Such malware redirects users’ searches to a different search engine, collecting user information and potentially exposing them to phishing sites.

Once installed, browser hijackers go through either Group Policies or registry keys that belong to the browser. By setting a selection of values responsible for enabling remote management to true, they block the user’s ability to change any settings of the browser and delete/change browser extensions. This becomes especially critical when the hijacker sits inside of a malicious browser extension.

Remove Managed by your organization Guide

You may encounter several ways to solve the problem: by editing the registry, disabling Group Policies through GP Editor, or else. But as actual removal attempts show, the most effect appears when you apply all the steps together. Still, some of the steps may not be viable for certain users, thus I picked only those that will work most of the time.

Group Policies Removal

First step in dealing with Managed by your organization is to remove policies that the malware changes to enable this state. This method does not require having access to Group Policies Editor, which is unavailable for non-Pro editions of Windows. All you have to do is find and remove all the folders listed below. Note: their deletion will require administrator privileges.

Windows\System32\GroupPolicy
Windows\System32\GroupPolicyUsers
ProgramFiles(x86)\Google\Policies
ProgramFiles\Google\Policies

Removing Registry Keys

Next step is going through the registry keys that may contain malicious configurations. Press the Win+R combination, and type “regedit” in the search window. This will get you to the Registry Editor; there, find and delete the keys you see below.

HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update
HKEY_LOCAL_MACHINE\Software\Policies\Chromium
HKEY_LOCAL_MACHINE\Software\Google\Chrome
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment
HKEY_CURRENT_USER\Software\Policies\Google\Chrome
HKEY_CURRENT_USER\Software\Policies\Chromium
HKEY_CURRENT_USER\Software\Google\Chrome
"HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}" /v "CloudManagementEnrollmentToken"

Not all keys may be present, as it depends on installed software, browser configurations, malware that did the changes and other things. Nonetheless, you should delete all the keys you can find.

Once done, reboot your computer to apply the changes. Then, you should be able to edit any of the Chrome settings and remove any browser extensions that may have previously been blocked from editing.

The post “Managed by Your Organization” – How to Remove From Chrome? appeared first on Gridinsoft Blog.

How to Increase Google Chrome Performance

Today, Google Chrome is considered the most popular browser due to its speed, friendly interface, convenience, and ease of use. But after a particular time of service, it takes a few seconds to launch your browser, and your web surfing process turns into a wait for your website to be loaded. There are many reasons for this (cache, history, cookies, problem extensions) that cause bugs and greatly slow down Google Chrome. The following actions will help optimize the operation of the browser and speed up its launch on Windows 10.

Update Chrome Browser

Your browser must be the latest version to keep your performance optimal. Usually, Google Chrome is updated automatically, but sometimes due to technical problems, this may not happen. For example, this can be because of a weak or limited Internet. Type chrome:/help in the address bar to ensure you have the latest version of your browser. If you want to upgrade, follow the instructions.

Check Your Extensions

Next step: you need to check the installed extensions and remove the unwanted ones. You may have previously installed the extension and have not used it for a long time, but it still consumes the system’s resources, slowing it down. Go to chrome://extensions and disable or uninstall unused extensions. To do this, press “remove”. If the extension was installed without your knowledge, check the “Report abuse” box.

Enable Prediction Service to Load Pages

Be sure to enable network action predictions called prefetch; this will allow the browser to open websites faster. To do this, open chrome://settings/cookies and scroll through the page to “preload pages for faster browsing and searching” to enable the feature.

Google Chrome has a wide range of web services for predicting and improving web surfing. This may be preloading pages for faster displaying or offering an alternative site if the site you need is not available. To preload pages you may visit, Google Chrome uses cookies (with your permission) and encrypts and sends messengers through Google to hide your confidential data from sites.

Try the Experimental Function of Closing Tabs

This simple but convenient feature allows the browser to close tabs, thus speeding up the browser. In addition, it helps run Chrome’s JavaScript handler regardless of the graphical user interface (GUI). This speeds up your browser and eliminates the need to wait long to close tabs. To activate this function, go to chrome://flags and find “Fast tab/window close,” and select “Enable” in the drop-down menu.

Use an experimental feature to increase RAM for Chrome.

You can increase the maximum value of RAM that Chrome can use. By adjusting the value by the height and width of the tile, you can allocate more RAM. This minimizes stuttering, and page scrolling becomes smoother.

To do this, in the same menu (chrome://flags), type “Default tile” in the Find dialog and specify the new values of the two parameters (width and height) in the drop-down window. Alternatively, you can set the value to “512” instead of “Default.”

Change custom theme to Default

If you have customized the browser for yourself and configured the theme, I recommend returning the standard theme. Since pieces also consume RAM, if speed is more important for you, do not use custom themes. To set the default theme, open chrome://settings, and under “Appearance,” click “Reset to default.”

Clear out cache data

This problem also leads to reduced free space on the hard drive. Regular cleaning will not only free space but also speed up Google Chrome.

Navigate to chrome:/settings/clearBrowserData and perform the cleanup. I recommend selecting only the “Cached images and files” checkbox. If you choose all the boxes, the browser will be completely cleared, and you will have to re-authenticate on the sites.

Reset Browser Settings to the Default

If you have done all of the above, but none of the methods helped you, you think the browser continues to work slowly; you can completely reset the browser. This allows you to remove any user settings altogether and fix problems caused by extensions or any other actions.

Type chrome://settings/reset to the address bar, then select “Reset settings to their original defaults” and click “Reset settings“.

I hope the above methods have been useful to you, they are also suitable for Windows 10/11 users.

The post How To Make Google Chrome Faster 2024 appeared first on Gridinsoft Blog.

New Chrome 0-day Vulnerability Fixed

On January 16, Google released an update for its Chrome browser that contains a fix for 3 vulnerabilities. Among them there is one, CVE-2024-0519, that was reported by an anonymous user. The company acknowledges the exploitation of this breach in the wild.

Key issue of the vulnerability lies in an improper memory access control in the JScript V8 engine, used in Chrome. The issue falls under CWE-119 designation. The way Chrome operates supposes the ability of direct memory addressing, but with lack of proper handling, it leads to the ability to reference to a wrong memory location. What this gives to attackers is the ability to both read and write to the random memory area, causing data leaks and arbitrary code execution.

Besides the most sensible issue, there are also 2 high-severity vulnerabilities fixed in the same update. Both touch V8 JavaScript, too, but are related to lack of memory write validation and type confusion. The latter, actually, can lead to similar effects with CVE-2024-0519, so it should be treated with the same seriousness. The good thing about these two is the absence of their real-world exploitation.

Google Releases Fix to the Newest 0-day Exploit

The severity of the issue obviously calls for urgent response from the developer. Fortunately, Google never hesitates to patch such bugs. However, due to the limitations, the patch may not be available to all users simultaneously. Here is the list of OS-specific versions that contain a fix.

To check whether you have an updated version of the browser or to check for updates, go to Settings → About Chrome. This will open the menu which checks the update availability each time you open it.

Being the most popular web browser is not just about privileges, as you may witness. Such a humongous user base means increased (if not maxed out) attention from adversaries, who take such vulnerabilities nothing short of a gift. For ordinary users, the best way to counteract this is to keep an eye on the latest updates, specifically on what issues they fix.

The post New Google Chrome 0-day Vulnerability Exploited, Update Now appeared first on Gridinsoft Blog.

OAuth2 Vulnerability Allows for Persistent Session Hijacking

The attackers found a way to use specific components within the Chrome browser to hijack sessions without a risk of it being interrupted by password changes. They targeted Chrome’s token_service table, part of the WebData, to exfiltrate tokens and account IDs. This table contains essential information, such as the GAIA ID and the encrypted_token column. Next, the attackers decrypted these encrypted tokens using a key stored in Chrome’s Local State within the UserData directory.

This method is similar to how Chrome stores passwords, indicating that the attackers deeply understood Chrome’s data management system. The exploit’s success relied on the attackers’ ability to navigate and utilize Chrome’s intricate data structures, specifically those related to user authentication and token management.

MultiLogin Endpoint Is The Culprit

The MultiLogin endpoint is a crucial element of Google’s OAuth2 system. It synchronizes Google accounts across various services, ensuring a consistent user experience by aligning the browser account states with Google’s authentication cookies. However, attackers have found a way to exploit this endpoint’s functionality. By providing vectors of account IDs and auth-login tokens, attackers can maintain unauthorized access to Google services.

Although this is a regular operation for the endpoint, attackers have used it maliciously. The endpoint’s invisibility and exploitability make it an ideal target for exploitation. It is not widely documented or known, and its role in managing simultaneous sessions or user profile switches makes it a potent tool for attackers once they understand how to manipulate it.

The Discovery and Spread of the OAuth2 Exploit

Back in October 2023, one of the malware developers described a vulnerability in OAuth2 and the exploit to it on its Telegram channel. This exploit uniquely allowed the generation of persistent Google cookies by manipulating tokens. This capability ensured continuous access to Google services, bypassing standard security measures even after resetting the user’s password​​. Obviously, the exploit’s potential didn’t go unnoticed.

Lumma infostealer was the first to integrate this exploit in November 2023, employing advanced blackboxing techniques to protect the methodology. This incorporation marked the beginning of a trend, as the exploit quickly caught the attention of various malware groups. Following Lumma, malware entities like Rhadamanthys, Stealc, Meduza, Risepro, and WhiteSnake implemented the exploit. Each group brought nuances to the exploit’s application, indicating its versatility among cybercriminals​​.

Hidden Tactics

In addition, the attackers manipulated the token:GAIA ID pair, which is also essential in Google’s authentication process. This manipulation allowed them to regenerate Google service cookies and maintain unauthorized access to user accounts. Thus, Lumma, a key player in exploiting this vulnerability, encrypted the critical token:GAIA ID pair with proprietary private keys. This process, known as “blackboxing,” not only obscured the core mechanics of the exploit but also made it difficult for other malicious entities to replicate the method.

Since the attackers encrypted the communication between their C2 and the MultiLogin endpoint, it was challenging for network security systems to detect the exploit. Standard security protocols often overlook such encrypted traffic, mistaking it for legitimate data exchange.

Interim Measures for Protection

While Google is working on fixing the vulnerability, there are some immediate steps you can take to protect your account. First, it is recommended that you log out of all your browser profiles. This will invalidate your current session tokens. After logging out, change your password and log in again. The action will generate new session tokens. Such a step is essential because tokens and GAIA IDs may have been stolen, and generating new session tokens will prevent unauthorized access by rendering the old tokens useless.

The post OAuth2 Session Hijack Vulnerability: Details Uncovered appeared first on Gridinsoft Blog.

Google Chrome Vulnerability Exploited in the Wild

The bug with heap buffer, that made the CVE-2023-4863 possible, is related to the way Chrome handles WebP images. By default, Windows assigns the browser as a way to display images of that format, and it remains unchanged in the vast majority of cases. Thus, the potential audience of exploitation is humongous – Chrome retains its monopoly on the browser market. WebP, at the same time, steadily substitutes “classic” image formats.

Originally, the flaw became known on September 6, 2023, after the corresponding research by Apple SEAR and Citizen Lab at The University of Toronto was sent to Google. The company, however, hesitates with publishing more extensive information upon the case. All that is known now is that the buffer overflow bug that happens during the WebP image reading can allow for arbitrary code execution. Alternatively, the browser may simply crash – which is to be expected with buffer overflow bugs. On the CVE MITRE resource, the exploit is listed though lacks any details besides the basics I’ve already mentioned.

How Critical CVE-2023-4863 is?

Arbitrary/remote code execution bugs are quite common to receive highest marks on exploit severity ratings. And when combined with eased in-the-wild usage and large selection of targets, the threat becomes truly massive. Millions of people use Chrome on a daily basis, and facing WebP images is common as well. Hackers can try to do whatever they want to millions of users, by simply sending the specifically crafted image.

Protect Yourself Against Chrome Exploits

Despite Google being sluggish with publishing the way the exploit works, they are fast on updates. The updates 116.0.5845.187/.188 for Windows (Stable/Extended) and 116.0.5845.187 for Mac have the vulnerability fixed. Updating the browser is plain and simple – go to Settings, and get down to the About Chrome button. Clicking it will initiate the browser update checkup, and if there is a newer version available – you’ll receive it.

But what can you do to avoid falling victim to exploits that were not uncovered and/or patched? Zero-trust is the only option that gives you reliable protection against such exploits. Its name is self-explanatory – solutions with such a policy treat any program as potentially dangerous. However, solutions with such a policy are mostly oriented towards corporate clients. And overall, negatives of having a paranoiac security solution in your system overwhelm situational profits. For individual users, I’d recommend looking for other options.

Your own awareness gives you a great advantage. The vast majority of phishing attacks bear on a single supposement – the victim will be too ignorant and reckless to notice the incoming fraud. And what can be more pleasant than crushing fraudsters’ hopes? Sure, this requires knowledge of what exactly you should seek, but these tips will do you a great service even away from scam avoidance.

The post Google Fixes Critical Vulnerability in Chrome, Exploited in the Wild appeared first on Gridinsoft Blog.

Predasus Malware Targets Chromium-based Browsers in Latin America

Threat analysts have discovered a new malware called “Predasus”. Attackers use this malware to insert harmful code through a Chrome extension and employ this method to attack various sites, including WhatsApp’s web version. The attackers enter and exploit the targeted websites through legitimate channels to deploy Predasus malware, enabling them to steal users’ confidential and financial data. Predasus engages in several malicious activities, such as obtaining sensitive information like login details, financial data, and personal information.

Predasus Infection Chain

Browser extensions can infect your device in various ways. They exploit browser or operating system vulnerabilities, including social engineering, to trick users into downloading them. The scenario is classic – a user opens an email attachment, a PDF, Word, or Excel file. The attachment contains malware that stealthily infects the user’s computer and is automatically deployed once downloaded. The malware then connects to the first command and control (C&C) server and downloads several files written to a folder named “extension_chrome” in the %APPDATA% folder. It terminates any process associated with Google Chrome and creates malicious .LNK files in several locations, replacing legitimate ones. In addition, the extension gains some permissions:

• “tabs”: Allows the extension to access and modify browser tabs and their content.
• “background”: Allows the extension to run in the background, even when the extension’s popup window is closed.
• “storage”: Allows the extension to store and retrieve data from the browser’s local storage.
• “alarms”: Allows the extension to schedule tasks or reminders at specific times.
• “cookies”: Allows the extension to access and modify cookies for any website the user visits.
• “idle”: Allows the extension to detect when the user’s system is idle (i.e., not being actively used).
• “webRequest”: Allows the extension to monitor, block, or modify network requests made by the browser.
• “webRequestBlocking”: Allows the extension to block network requests made by the browser.
• “system.display”: Allows the extension to detect and adjust display settings on the user’s system.
• “http://*/*”: Allows the extension to access any HTTP website.
• “https://*/*”: Allows the extension to access any HTTPS website.
• “browsingData”: Allows the extension to clear the user’s browsing data (such as history and cache) for specific websites.

Some of these permissions pose a risk because they allow an extension to access or modify sensitive user data.

What data is at risk?

According to IBM Security Lab, Predasus has been seen in many malicious activities, including modifying browser behavior and stealing sensitive data such as login credentials, financial information, and personal data. In addition, this attack uses WhatsApp Web. Since WhatsApp is popular in some countries such as Brazil, Mexico, and India, attackers can get enough potentially valuable information. Using a phishing payment site, scammers steal payment information from the victim under the guise of paying for a subscription. In addition, the phishing site asks for a confirmation code that the victim received via text message. In this way, the fraudsters access the victim’s bank account. Ultimately, the attackers sell the obtained data on the Darknet.

Safety Tips

To avoid unpleasant consequences, you must be cyber hygienic and watch what you install. Hackers always seek for new ways of malware spreading, and your attentiveness can effectively repel all their attempts.

• Be careful with emails you receive. This advice repeats again and again, as hackers keep using spoofed emails to spread malware. Strange topic, unknown sender, typos – all such things should raise suspicion.
• Only download extensions you’re sure about. Even using Chrome Web Store as a source does not mean you’re safe. Hackers have their ways to upload malicious plugins even to this marketplace – leave alone third-party sources.
• Use two-factor authentication and regularly update your browser and extensions to stay safe.
• Use effective anti-malware software. When it comes to protecting from malware attacks from different vectors, it is quite easy to whiff at some point. To avoid problems, a backup protection option is essential. GridinSoft Anti-Malware can offer you great protection, both reactive and proactive.

The increase in harmful Chrome extensions is concerning and emphasizes the importance of being cautious while browsing the web. There are concerns that this malware campaign may spread to North America and Europe.

The post Predasus Malware Attacks Latin America Through Browser Plugins appeared first on Gridinsoft Blog.

Let me remind you that we also said that Malicious Ledger Live extension for Chrome steals Ledger wallet data, and also that 295 Chrome extensions injected ads in search results.

The existence of ViperSoftX malware has been known to security experts since 2020, for example, Cerberus and Fortinet have already talked about it. Now, the malware has been studied in detail by Avast experts. They report that the malware has changed noticeably since then.

The company report says that since the beginning of 2022, Avast has detected and stopped 93,000 ViperSoftX attack attempts against its customers, mainly affecting users from the United States, Italy, Brazil and India. At the same time, it is known that the main distribution channel for malware is torrent files of game cracks and activators for various software.

After examining the wallet addresses that are hard-coded in the ViperSoftX and VenomSoftX samples, the experts found that as of November 8, 2022, the attackers “earned” about $130,000. Moreover, the stolen cryptocurrency was obtained solely by redirecting cryptocurrency transactions on hacked devices, that is, this amount does not include profit from other activities of hackers.

The new variants of ViperSoftX do not differ much from those studied earlier, that is, they can steal data from cryptocurrency wallets, execute arbitrary commands, download payloads from the control server, and so on. The main difference between the new versions of ViperSoftX is the installation of an additional malicious VenomSoftX extension in the victim’s browsers (Chrome, Brave, Edge, Opera).

To hide from the victim, the extension masquerades as Google Sheets 2.1, allegedly created by Google, or as a certain Update Manager.

Although VenomSoftX largely duplicates the functionality of ViperSoftX (both malware target the cryptocurrency assets of victims), the extension itself carries out the theft differently, which increases the chances of attackers to succeed.

In particular, the targets of VenomSoftX are Blockchain.com, Binance, Coinbase, Gate.io and Kucoin, and the extension monitors the user’s clipboard and replaces any addresses of cryptocurrency wallets (as Carabank Group did, for example) that get there, with the addresses of attackers.

In addition, the extension can change the HTML code on sites to detect the address of the user’s cryptocurrency wallet, while manipulating elements in the background and redirecting payments to attackers.

To determine the victim’s assets, the VenomSoftX extension intercepts all API requests to the aforementioned cryptocurrency services, and then sets the maximum available transaction amount, stealing all available funds.

Moreover, in the case of Blockchain.info, the extension will try to steal the password entered on the site.

The researchers say it’s easy to detect such fake Google Sheets: the real Google Sheets are usually installed in Chrome as an app (chrome://apps/) and not as an extension, which is fairly easy to check on said page. If the extension is present in the browser, you should remove it as soon as possible, clear the data, and probably change the passwords.

The post Chrome Extension ViperSoftX Steals Passwords and Cryptocurrency appeared first on Gridinsoft Blog.

What the error “This Site Can’t Provide a Secure Connection” means

First, let’s find out what a “secure connection” is. It is a connection to a website that uses the secure Hypertext Transfer Protocol (HTTPS), not HTTP. Browsers usually mark secure websites with a lock icon at the address bar’s beginning, confirming that the connection is secure. The secure connection supposes the encryption of all data packages your device exchanges with the server, so the third party is not able to see the contents. HTTPS offers significant security advantages over HTTP but imposes strict requirements for compliance. One of these is a valid SSL certificate. Thus, the “This site can’t provide a secure connection” error tells us there is a problem with the SSL certificate. That is, the site claims to be HTTPS compliant but either does not provide a certificate or provides an invalid certificate. If the browser can’t verify the certificate, it won’t load the site and will display this error message instead.

Causes of the “This Site Can’t Provide a Secure Connection” error

If you see a site security warning, it does not necessarily mean the site is unsafe. Although it is not impossible, more often than not, it is less dangerous. The problem can be divided into problems with the web browser or system configuration and issues with the site. You can check this by opening the problem page in several browsers. Suppose you see the error in one browser, which works fine in another. In that case, the problem is probably in the browser (usually the cache). If the error appears in all browsers, the problem is either with your computer or the site itself. Listed below are the most common causes of this error message:

• Incorrect time and date settings on your device. If your laptop has the wrong date and time settings, this can cause problems with SSL certificate authentication. Your PC may think it is already expired or, what is more comic, have not been issued yet.
• Outdated SSL caches in your browser. This is one of the common causes. Because web browsers store SSL certificates in a cache, they don’t need to check the certificate every time you visit a site, thereby speeding up browsing. However, if the SSL certificate changes, but the browser still loads an older version from the cache, it can cause this error.
• Invalid or expired SSL certificate. Certificates must be periodically renewed. You will see this error if the website’s SSL certificate has expired.
• Fraudulent browser extensions. An incorrectly working browser extension can also cause problems with certificate authentication. Often it’s a simple error caused by a poor design, though sometimes the extension can be malicious.
• Overzealous antivirus. Incorrectly configured antivirus software can sometimes erroneously produce this message. This may be due to an encryption error.

Fix the “This Site Can’t Provide a Secure Connection” error

Fortunately for the user, the problem solving does not require any serious interruptions. However, in certain cases, you will be forced to witness the error until the other party does not deal with an outdated certificate. Below we will look at how to eliminate the secure connection error.

Set the correct date and time

The certificate’s expiration date is significant, and you need to keep an eye on the signing and expiration date of the certificate. Incorrect date and time zone can lead to a secure connection error in Chrome browser. Therefore, ensure that the time on your system is synchronized with your current time zone. In most cases, this simple solution is effective.

Clear Chrome’s browsing data

If the problem persists after setting the date and time, try clearing the Chrome cache and cookies. To do this, press Ctrl + Shift + Delete, select the time range “all time,” and click “Clear data“.

Check recently installed extensions

Recently installed extensions and ad blockers can interfere with how you see Chrome sites. First, try removing these extensions and then reloading the web page again. To remove extensions from Chrome, follow these steps:

First, open the Chrome browser and type chrome://extensions in the address bar.

This will take you to the extensions page, where you can click on the “Remove” button next to your recently installed extensions.

You can do the same step to disable ad blockers.

Check your antivirus and firewall settings

Sometimes the connection error in Chrome can occur due to too aggressive or incorrect settings of the antivirus and firewall installed on your PC. Most modern antivirus programs scan websites for malicious elements and other security threats. They also check the SSL/TLS versions of the website. If the website uses an outdated version of SSL, the antivirus will block it. In this case, you can solve the problem by temporarily disabling the antivirus. However, it would not be safe.

Clear SSL state

If the above methods don’t help, try to clear the SSL status. To do this, perform the following steps:

• Open the Start menu.
• Search for and open Internet Properties.
• Select the Content tab.
• Click Clear SSL State

Disable the QUIC protocol

QUIC (Quick UDP Internet Connections) provides a connection equivalent to TLS/SSL to Google’s servers. QUIC is enabled by default in Chrome. To disable it, copy chrome://flags/#enable-quic, paste it into the address bar, and press Enter. At the top of the screen, the experimental QUIC protocol is set as the Default protocol. Please disable it and restart Chrome.

Enable TLS and SSL support.

TLS and SSL are old protocols that are disabled in most browsers and operating systems. Since most websites use much more secure and fast protocols, Chrome did not allow you to visit this site and warned you that it was not secure. However, you can enable TLS/SSL protocol support:

• Open the Control Panel, find Internet Options.
• Click the Advanced.
• Scroll down and select TLS 1.0, TLS 1.1, TLS 1.2, SSL 3.0, and SSL 2.0 and click ” OK”.

Restart your computer and try to visit the web page.

The post “This Site Can’t Provide a Secure Connection”: How to Fix appeared first on Gridinsoft Blog.