ALERT: Update Chrome to fix three security flaws
Tuesday, February 25, 2020
The information below was sent via email to U-M IT staff groups on February 25, 2020. It is intended for U-M IT staff who are responsible for university devices running the Google Chrome web browser. It will also be of interest to individuals who have Chrome installed on their own devices.
Summary
A Chrome update (Chrome 80.0.3987.122) released on Monday, February 24, patches three high-severity vulnerabilities, including one that Google says is being exploited in the wild. Update Chrome as soon as possible. Be aware that by default, automatic updates to Chrome happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, check for pending updates to Chrome and update if necessary.
Problem
Google has announced vulnerabilities in the Chrome web browser. One of these, CVE-2020-6418, is being actively exploited in the wild. Details about the attacks have not been made public. Google has released an update to Chrome to fix the vulnerabilities.
Threats
CVE-2020-6418 is being actively exploited in the wild.
Affected Versions
All versions of Google Chrome.
Action Items
- Update Chrome to version 80.0.3987.122 as soon as possible. The update is available for Windows, Mac, and Linux users. Be aware that automatic updates to Chrome normally happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, check for pending updates to Chrome and update if necessary.
- Updates for Chrome on Chrome OS, iOS, and Android will be made available in the coming weeks. Apply the Chrome update for your device as soon as it is available.
MiWorkspace computers are being updated for you as soon as possible. Chrome is set to auto-update on MiWorkspace computers. In addition, MiWorkspace will release the newest version of Chrome for Mac and Windows later this week during normal maintenance windows (Thursday night for Mac and Friday morning for Windows).
Technical Details
CVE-2020-6418 is a type confusion vulnerability in V8, Google Chrome’s open-source JavaScript and WebAssembly engine. The other two flaws have been described as an integer overflow in ICU and an out-of-bounds memory access issue in the streams component (CVE-2020-6407).
How We Protect U-M
- ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
- IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- IA provides vulnerability management guidance to the university.
Information for Users
MiWorkspace machines will be updated as soon as possible. It is best to set Chrome on your own devices (those not managed by the university) to update automatically. Be aware that automatic updates to Chrome normally happen in the background when you close and reopen Chrome. If you seldom close and reopen Chrome, check for pending updates to Chrome and update if necessary.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- Google Patches Chrome Vulnerability Exploited in the Wild (Security Week, 2/25/20)
- Google patches Chrome zero-day under active attacks (ZDNet, 2/25/20)
- Install Latest Chrome Update to Patch 0-Day Bug Under Active Attacks (The Hacker News, 2/25/20)
- Confusion Vulnerability Exploited in the Wild (Tenable, 2/24/20)
- Chrome Release Update: Stable Channel Update for Desktop (Google, 2/24/20)