Op-Ed: Google Chrome browser hacks confirmed, but don’t panic – Yet. | #macos | #macsecurity | #education | #technology | #infosec

Google: African ambitions – Copyright AFP Paul ELLIS

There’s nothing like the biggest possible target for hackers, and Google Chrome is definitely just that. The bottom line is that there are significant issues, quite real possible threats, and you do need to do whatever’s required to manage these things.

The ever-helpful noisy headlines vary in usefulness, far too much:

…Exactly what every Chrome user needs to see, obviously. The story is that Zero Day attacks have now been happening regularly, 11 this year to date, and Google is much less than thrilled.

Not too impressed with the Headless Chicken Little approach to internet security, I found some info direct from Google dated October 7. The Google information is much less hysterical and includes some useful links. The headline, interestingly enough, is Stable Channel Update for Desktop. The word “delete” doesn’t exist on this page.

So what’s so important?

The Zero Day attacks might compromise SSL (secure socket layer) security, the kind you use for banking. This is a huge issue, however predictable. SSL is typically very secure, so even the suggestion of any risk at all is highly undesirable.

That’s some sort of excuse for the panic. It’s no excuse at all for any unsupported statements sprinkled throughout the coverage. Google, apparently not inclined to destroy its top global browser, has simply said patches are coming onstream. Several have obviously already been applied.

What can you do? Pretty easy.  

The easy way is to simply click on the top right, click help, and check for the current update. The relevant update in the Google info is 94.0.4606.81 for Windows and Mac. This update addresses four specific vulnerabilities. Google makes the necessary point that access to details and links regarding other issues is restricted. You don’t tell the bad guys what you’ve already fixed until it’s obvious.

Some perspective

Browser hacks are nothing new. Browsers are complex. They require monitoring. All browsers, notably and notoriously Internet Explorer, have had major vulnerabilities.

The culture is a major driver of this freeloading situation, often sponsored by organized crime, that invaluable asset to the world. State actors are also pretty common participants in internet sabotage. Nice to know somebody is determined to start World War 3, isn’t it?

Caveat – This is an opinion, not a proven fact: What is generally known about cyberattacks and what is actually happening cannot be the same thing. It’s probably a lot worse and has always been worse, than public disclosures.

The follow-through logic here is that an attack on anything as big as Chrome isn’t even in the interests of clunky old mainstream hackers. A hyper-secure, possibly reactive browser would be the death of them and their business. So something much bigger is likely to be in play to even think about this sort of attack.

More to the same point – Google Chrome is actually a pretty hard target for hackers. It’d take a lot of effort to find these vulnerabilities and use them. This is major league stuff, pretty much if not entirely out of reach of some guy with a phone and time on his hands.

Meanwhile back at the cluster factory on Main Street Online

It’s still way too easy to do damage on any level of the net, let alone at the browser level. Most writers about anything to do with the internet, including me, have made that point about internet security in countless ways, for decades.

Maybe this is the mindless old middle-class “If there were no problems I wouldn’t have a job” thing. Fixes seem to be pretty slow in terms of Main Street hacks, for example. I’ve been seeing quite a few real phishing antiques, pretty much dinosaurs, still rattling around. So what’s been fixed? Not much, I’d say.

We seem to be talking to a vacuum. A surprisingly smug vacuum. Online security is worse than ever, decades later. Nowhere but online could conscientiously never doing your job at all be so acceptable. You claim to be geniuses; now prove it.

Kill the culture, and you kill the problem. Don’t kill it, and the risks escalate. Add unacceptable levels of risk to the hacks and cyberattacks, and the risks reduce. Sky blue, grass green. Clear enough?

Source link