Chrome gets patched again—but 83% of users aren’t running the latest version

Isolation provides malware-free browsing regardless of patch status

Imagine your life today without being able to freely browse the web. Browsers have put the entire world on our devices and in the palm of our hand—easily searchable in a powerful and seamless experience. This is where work happens, in browsers, email and shared files. Securing this this essential (yet vulnerable) entry point, ensures malicious actors wouldn’t be able to launch, much less carry out, an attack. Simply put, Chrome is critical to getting business done, as it is used by nearly two-thirds of devices worldwide.

Browsers are still vulnerable no matter how they have changed

Since the first browser debuted in the 1990s, they have been a tempting target for malicious actors. As browsers have evolved, so too have the ways hackers use to exploit their vulnerabilities. In the past, attackers could exploit a vulnerability in a minor feature and spread laterally throughout the software stack. Now, once hackers get in, they have to find ways to move—either by trying to access the core operating system (OS) of the device or by hijacking the browser process. This requires finding and taking advantage of bugs at different levels of the OS, the browser, and the browser functionality.

This expanding threat surface requires users to continually patch their browsers to prevent these vulnerabilities from being exploited. Given the fact that browsers are heavily targeted and include a lot of features, there are many patches that are regularly issued—in some cases creating patching fatigue. Over the past five weeks, Google has issued patches that CISA says are actively being exploited by zero-day attacks. Yet most organizations and users have not patched their browsers. More on this below.

How would the CVEs impact me?

The first three CVEs (in numbers 1 and 2 below) are targeted at impacting the rendering process of the browser and have been classified as zero days:

• CVE-2020-16009 and CVE-2020-16013 give attackers access into the browser. Specifically, the vulnerability allows malicious JavaScript (JS) to break out of the sandbox created by the runtime, enabling the attacker to execute native code within the Chrome rendering process.
• CVE-2020-15999 involves the use of fonts on a website that the user visits. The component that parses the downloaded fonts gives the hacker access to the browser.
• CVE-2020-16017 allows an attacker to take control of the browser process and then gain access to the files located on the device.

Check out what US-CERT has to say about these CVEs:

• Google Releases Security Updates for Chrome, CVE-2020-16009
• Google Releases Security Updates for Chrome | CISA

OK, I Will Update My Browsers…

Menlo Labs discovered that there are 49 different versions of Chrome being used by our customers as of November 17. Nearly two-thirds (61 percent) are running the latest build (.86) while just over a quarter (28 percent) are running one version prior (.85). Out of the customers running .86, a staggering 83 percent are running versions of Chrome that are vulnerable (<Chrome/86.0.4240.198). If these customers were using legacy-based detection approaches, these active zero days would have been a risk for them.

The chart below shows the top five versions of Chrome 86 seen on the Menlo platform as of November 17. The data shows that even though a patched version of the browser may be available for more than six days, customers are still not running these versions.

Unfortunately, this is a continuous trend we have seen from the industry. We can scream “Patch regularly!” until we’re blue in the face, but in reality, people have other priorities and resources to consider (especially with the backdrop of COVID-19).

The Chrome team has made it easier for companies to eventually move to the latest and greatest build, but, as our Menlo Labs data shows, customers have various business reasons for not updating their browser instantly. I know from experience. I’ve been on many Zoom calls where someone has shared their screen, and you can see the “restart to update” orange/red icon. In fact, let’s just do a quick sanity check. Do you even remember the last time you shut down your browser and cleared cookies on all your devices?

Now scale that across all your devices, and it’s easy to see how difficult it can be for organizations to come up with ways to ensure that their users’ browsers are updated and patched to enterprise standards.

So Is There an Alternate Approach?

Yes, one of Menlo’s biggest values to our customers is to protect them from browser-based zero days. We do this simply, without trying to detect the website impact, looking at indicators of compromise (IOC), or adding more ML-based engines – approaches that legacy detect and response web gateways take. The Menlo Isolation-powered Cloud Security Platform moves the rendering process away from the endpoint, cutting off any access before the attacker even attempts to exploit the vulnerability.

Protecting against the locked room:

• (CVE-2020-16009 and CVE-2020-16013): Triggering the vulnerability requires executing JS. Menlo customers are fully protected because no active content is ever executed on the endpoint. We don’t selectively choose what or who to isolate—we simply isolate all traffic.
• CVE-2020-15999: An attacker cannot execute active content on the endpoint, making it extremely hard to defeat additional OS protection mechanisms (Data Execution Prevention [DEP] and Address Space Layout Randomization [ASLR]). As a result, users are protected. Although an attacker may be able to cause a client browser to crash, successful exploitation is virtually impossible.

Stopping the attacker:

• CVE-2020-16017 & CVE-2020-16010: Isolation prevents the attacker from even getting a foothold in the browser, preventing them from getting to the point where they can attempt to take advantage of this vulnerability.

Isolation Solves the Patching Problem.

I know it’s hard to believe, but Menlo’s browser isolation approach automatically protects the enterprise against these attacks—even when a browser is not updated or patched. And, because it is a cloud-delivered security service, Menlo protects all devices—including mobile—regardless of the underlying hardware, OS, browser, or network connection. Our customers may be running unpatched or outdated versions of Chrome, but they are protected, nevertheless, thanks to Internet isolation.

Reach out to us to learn more about the CVEs and how Menlo’s Isolation-powered Cloud Security Platform could be an approach that helps with your patching nightmare.

Special call-out to my Menlo colleagues Vinay (insightful Director of Security Research) and Lionel (Chief Security Architect) for their insight and data.