In seeming anticipation of Cyber Awareness Month in October, Google began a series of “Whack-a-Mole” updates to address a spate of Chrome security flaws. Each time they knocked a batch down, more have popped up. In the first week of October, Google announced they had found the 12th and 13th zero day exploits of 2021, affecting Linux, macOS, and Windows users – just days after number 11 was made public. More disclosures of high ranking exploits have since followed at what seems to be an accelerating pace.
“Zero day” exploits are particularly dangerous because hackers are aware of – and can exploit – them before security patches are available to fix them. With 2.65 billion Chrome users worldwide and a 65% market share, these newest Chrome zero days left an awful lot of users exposed to danger until Google released fixes. And since many organizations take some time to roll out new versions of their browsers, many users will be exposed to these vulnerabilities for quite a while.
Browsers are designed to execute all web code only within the browser, and nowhere else on the device. Browser security vulnerabilities are dangerous in that they allow code to “jump” from the browser to the device and execute there.
A number of the latest zero day exploits and high-rated threats were Use-After-Free (UAF) vulnerabilities, which are some of the most dangerous software vulnerabilities around.
Normally, when an application finishes using memory, that memory is returned to the free memory list. In a UAF, the attacker has gained access to the memory address. This allows them to insert malicious code into memory that has been freed for use other than for browsing – code which can cause all kinds of harm.
Additionally, since the memory isn’t wiped clean after a UAF has been exploited, the attacker can continue to read contents of memory of the device, including sensitive customer or organization data.
More Than Chrome Can Be at Risk
The most recent zero day was in the core code known as Chromium. Chromium is an open-source browser that is maintained primarily by Google. Google adds features to Chromium for its Chrome browser, and other browsers such as Microsoft Edge and Opera also run on Chromium.
That means an exploit that’s in the Chromium section of the code is also likely to affect other browsers that runs on Chromium, including Edge, the third most-used browser.
Obviously, Google isn’t the only company that has zero day issues. Google’s Threat Analysis Group said that 33 zero days had been detected in the wild in the first half of 2021 alone, including in Microsoft Edge and Apple’s Safari browsers. This is a significant increase from the previous year.
Users Often Remain Exposed When They Needn’t Be
The fixes for zero day exploits often are not rolled out all at once – some users may be offered the patch before others. But even once a fix has been issued, it provides no protection until a user installs it. Unfortunately, all too many users neglect instructions to update their software as soon as they can. Cybercriminals know this, and seize the opportunity to continue exploiting vulnerabilities, even after fixes have been released.
Finally, some users are not aware that even if they install the update, it does not take effect until the browser is restarted. This could leave some users believing that vulnerabilities in their browsers have been fixed when in fact, they are still at risk.
Fight Zero Days with Zero Trust
As the steady cadence of announcements on zero days makes clear, even if your organization is careful to install software updates the minute they’re available and insists that users update their personal devices, your organization will still be exposed to zero day exploits.
There is only one sure way to protect against zero day attacks on vulnerable browsers, without entirely disallowing internet use. And that is by implementing a Zero Trust security approach to web browsing. Zero Trust doesn’t rely on security patches or allow lists: It operates on the assumption that all browsing, of any website, using any browser could be dangerous, and therefore leverages Remote Browser Isolation (RBI) to keep all active web content off endpoints – while still enabling users to use the sites that they need.
Sound impossible? Here’s how Ericom RBI works. When a user types a URL in their device browser or clicks a link, a virtual browser is opened in a cloud-based container. All website code remains isolated in the container. Only safe rendering data is sent to the user device, to their usual browser, where users interact as they would with the actual web content. Even if a zero day exploit is present and a user clicks to activate the code, it can’t infect their computer or the organization network to which it’s connected, since no code runs on the endpoint.
Today’s browsers are sophisticated marvels that streamline activities in a way that was unimaginable just a few short decades ago, yet expose organizations to serious risk. Zero Trust browsing with RBI enables your organization to benefit from the upsides of internet use, while staying protected from the very serious risks. This most recent spate of Zero Day threats should have you convinced to learn more about Ericom RBI today.