Date:01/03/19
A zero-day vulnerability in Google Chrome allows hackers to harvest personal data using nothing else than malicious PDF documents loaded in the browser.
Discovered by EdgeSpot, the security flaw is already being exploited in the wild and an official fix would only be released by Google in late April.
The PDF documents do not appear to leak any personal information when opened in dedicated PDF readers like Adobe Reader. However, it seems the malicious code specifically targets a vulnerability in Google Chrome, as opening them in the browser triggers outbound traffic to one of two different domains called burpcollaborator.net and readnotify.com.
The exposed data includes the IP address of the device, the operating system and Google Chrome versions, as well as the path of the PDF file on the local drives.
Interestingly, the malicious PDF documents aren’t detected as potentially dangerous by security products, and only some antivirus solutions trigger a warning when scanning them.
The vulnerability was reported to Google on December 26, and on February 14, the company confirmed that the late-April browser update would include a fix.
“We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” the researchers at EdgeSpot explain.
In the meantime, the easiest way to remain protected is to avoid opening any PDF documents in Google Chrome, but if you must do this, you should just stay away from files coming from sources that you do not trust. Also, you can just temporarily disconnect the computer from the Internet when opening PDF documents in Google Chrome.
The next Google Chrome release that will correct the vulnerability is Chrome 74 due on April 23.
Google Chrome Zero-Day Lets Hackers Harvest User Data
A zero-day vulnerability in Google Chrome allows hackers to harvest personal data using nothing else than malicious PDF documents loaded in the browser.Discovered by EdgeSpot, the security flaw is already being exploited in the wild and an official fix would only be released by Google in late April.
The PDF documents do not appear to leak any personal information when opened in dedicated PDF readers like Adobe Reader. However, it seems the malicious code specifically targets a vulnerability in Google Chrome, as opening them in the browser triggers outbound traffic to one of two different domains called burpcollaborator.net and readnotify.com.
The exposed data includes the IP address of the device, the operating system and Google Chrome versions, as well as the path of the PDF file on the local drives.
Interestingly, the malicious PDF documents aren’t detected as potentially dangerous by security products, and only some antivirus solutions trigger a warning when scanning them.
The vulnerability was reported to Google on December 26, and on February 14, the company confirmed that the late-April browser update would include a fix.
“We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” the researchers at EdgeSpot explain.
In the meantime, the easiest way to remain protected is to avoid opening any PDF documents in Google Chrome, but if you must do this, you should just stay away from files coming from sources that you do not trust. Also, you can just temporarily disconnect the computer from the Internet when opening PDF documents in Google Chrome.
The next Google Chrome release that will correct the vulnerability is Chrome 74 due on April 23.
Views: 452
©ictnews.az. All rights reserved.
Similar news
- Azerbaijani project to monitor disease via mobile phones
- Innovative educational system to be improved under presidential decree
- NTRC prolongs license of two TV and radio organizations for 6 years
- Azerbaijan establishes e-registry for medicines
- Azerbaijani museum introduces e-guide
- Nar Mobile opens “Nar Dunyasi” sales and service center in Siyazan city
- International conference on custom electronic services held in Baku
- OIC secretary general to attend COMSTECH meeting in Baku
- Azerbaijan develops earthquake warning system
- New law to regulate transition to digital broadcasting in Azerbaijan
- Azerbaijani State Social Protection Fund introduces electronic digital signature
- Intellectual traffic management system in Baku to be commissioned in December
- Tax Ministry of Azerbaijan started receiving video-addresses
- World Bank recommends Azerbaijan to speed up e-service introduction in real estate
- Azerbaijan to shift to electronic registration of real estate
