Chrome 76 Release Includes Vulnerabilities

This week, Google has released version 76 of Chrome and although there aren’t any major features, there are still some changes and vulnerabilities to highlight.

First, Adobe Flash is no longer enabled by default. Google, as well as other software manufacturers, have been dying to end support for the vulnerability-ridden plugin for years. In July 2017, Adobe said it would kill Flash by 2020 and with a market share of 56.8% across all platforms, Chrome’s recent block on the plugin is finally bringing that to fruition. It is worth mentioning that Flash is not entirely removed from the browser. If end-users would still like to leverage Flash while browsing, the option can still be enabled in settings; however, be exceptionally careful as the plugin has always been known to be a favorite target for exploit kits, zero-day attacks, and phishing schemes.

Another change with Chrome 76 is how Incognito Mode functions. Recently, Google became aware of websites exploiting the private mode by detecting whether or not it’s utilized. This has been previously achieved via the Google FileSystem API implementation, but with the version 76 release, it’s been remediated.

Lastly, a number of vulnerabilities have been addressed, including CVE-2019-5850, CVE-2019-5853, and CVE-2019-5860. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Additionally, depending on the privileges associated with the application, an attacker could install programs, change data, or create new accounts with full user rights.

Syxsense supports Google Chrome updates by default. There’s no need to even scan the environment for out-of-date versions. A Patch Deployment Task can detect, determine if the update is necessary, and remediate without the need to interrupt end-users or wait around for a policy-based solution to someday address the update.