“Zero-Day Exploit”: what exactly was Google Chrome’s recent Halloween Spook?

On Halloween, Google issued an urgent update to Chrome users regarding a “zero-day exploit.” With a 65.8% browser market share in September 2019, per TechRadar, Google Chrome (and a whole bunch of its unsuspecting users) represents a massive target for hackers. What might this security alert mean for the average user?
Note: if you are reading this on Google Chrome, and you have not already updated your browser, please pause and immediately follow these directions.
Zero-Day Vulnerability vs Zero-Day Exploit
Norton AntiVirus by Symantec, an anti-malware and anti-virus software vendor, gives the following definition for a zero-day vulnerability (emphasis is mine):
“…a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by cybercriminals.”
“Zero-day” may also be used to refer to an attack that has already occurred, though this is more commonly known as “zero-day exploit” or “zero-day attack.”
What users should note is that “zero-day” begins when the software vendor discovers the flaw. Afterward, flaws are known as “N-day vulnerabilities” to signal the passage of time, usually in days, before a corresponding software patch or workaround is released.
Alerting the public to a Zero-Day Vulnerability
At this point, you may wonder why a company or software vendor may publicly acknowledge the vulnerability. Couldn’t hackers who read about zero-day vulnerabilities simply look for technical documentation about the vulnerability and quickly build a hack?
Enterprise IT data publisher TechTarget pointed out the following reason for releasing zero-day notices:
“Even if potential attackers hear about the vulnerability, it may take them some time to exploit it; meanwhile, the fix will hopefully become available first.”
In the case of Google Chrome, it turns out the recent Google Chrome security flaw was already being “exploited in the wild,” meaning a documented exploit was discovered before a patch was released. Thus, the news release was meant to spur users into installing the software updates.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” stated the Google Chrome developer blog.
Assessing the severity of a Zero-Day Vulnerability
Information disclosure about vulnerabilities depends on other factors, such as the amount of time passed since zero-day, number of clients impacted, level of data accessed, etc. Considering that zero-day vulnerabilities and exploits are unpatched flaws, they can be difficult to detect and prevent.
In July 2014, Google announced the formation of Project Zero, a research group whose mission is to “make zero-day hard.” Part of their aim is to uncover and alert software vendors to zero-day bugs. However, the group is criticized for generally providing companies with only 90 days to address security issues before releasing bug information publicly, with exceptions granted for severity.
Project Zero defended its actions by asserting the following:
“The answer [to why we release bug information] is counterintuitive at first: disclosing a small number of unfixed vulnerabilities doesn’t meaningfully increase or decrease attacker capability. Our ‘deadline-based’ disclosures have a neutral short-term effect on attacker capability.”
Basically, if the security flaw were easy to replicate, hackers may have already exploited it. And if the flaw were complex and resource-intensive in nature, hackers may not invest the estimated average of three-weeks time to reproduce it. Plus, Project Zero only posts what they describe as “one part of the exploit chain.”
It may be difficult to argue with their track record of effectiveness. When companies are made aware of zero-day vulnerabilities, they are more inclined to be publicly accountable and to create a fix. As of July 30, 2019, “Project Zero has published the bug reports of 1,585 fixed vulnerabilities and 66 unfixed one,” reported TechSpot.
Regardless, critics of Project Zero argue that patches for specific security issues (1) may not address similar vulnerabilities in other parts of the impacted system, (2) may be imperfect fixes that require significantly more time to smooth out, or (3) worse yet, may not be installed by a user in a timely manner, leaving the user vulnerable.
User protection: auto-update or not?
The Google Chrome team itself alluded to the concern of ensuring the bug fixes are delivered before disclosing further information: “We will also retain restrictions [on releasing information] if the bug exists in a third party library that other projects similarly depend on but haven’t yet fixed.”
In this case, the Google Chrome team decided to push a fix to users. All that was required for the user to receive the refreshed Chrome code was to restart the browser, according to Wired.
Simple, right? Just hit install on the update! (That is, if you pay attention to your update alerts.) For the rest of us, Wired echoes the recommendation by Jérôme Segura, head of threat intelligence at security firm Malwarebytes:
“As a security practitioner, I am a strong advocate for auto-updates, especially when it comes to consumers.”
Wired also quotes Josiah Dykstra, technical director at the National Security Agency: “If people see the value in auto-updates, they generally tend to see the value in product stability for features more than security. The security benefit is a very hard thing for consumers to see.”
Fortunately for all average users out there, ethical hacker John Opdenakker says, “This most severe [Chrome] vulnerability can only be exploited via specially crafted websites,” which means, “the average user shouldn’t lose any sleep.”
Final Thoughts
In light of zero-day vulnerabilities, Techopedia provides a few suggestions on how a user might proactively protect oneself:
- Different access controls and restriction including virtual LANs, firewalls can provide protection against zero day attacks.
- Single packet authorization can help in providing effective protection in a network with fewer users against zero-day attacks.
- Restrict privileges for user accounts. This could mitigate the impact of any possible attacks.
Lastly, Norton AntiVirus compels us to be good digital stewards of our data:
“OK, cyber security is mostly about you, but you’ve got other people to think about, too. If your device gets a virus, you could pass it on to your friends, family, and business associates. That’s why you want to keep your software and systems updated.”
Hopefully, with this in mind, the passing of this Halloween will bring no long-term digital scares to any of us.
Future topic: Internet of Things (IoT) security flaws
Sources:
[1] Release Updates from the Chrome Team: https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
[2] TechRadar: https://www.techradar.com/uk/news/microsoft-edge-user-numbers-plummet-while-chrome-reaches-new-heights
[4] Norton AntiVirus, by Symantec: https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day-vulnerabilities-work-30sectech.html
[5] Norton AntiVirus, by Symantec: https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html
[6] TechTarget: https://searchsecurity.techtarget.com/definition/zero-day-vulnerability
[7] Google Project Zero team member blog: https://googleprojectzero.blogspot.com/
[8] Google Project Zero team member Github: https://github.com/googleprojectzero
[9] Wired: https://www.wired.com/story/turn-on-auto-updates-everywhere/#
[10] TechSpot: https://www.techspot.com/news/81281-over-95-1600-vulnerabilities-discovered-google-project-zero.html
