1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Chrome patched this bug, but CISA says it's still actively exploi

    From TechnologyDaily@1337:1/100 to All on Friday, May 16, 2025 17:15:07
    Chrome patched this bug, but CISA says it's still actively exploited

    Date:
    Fri, 16 May 2025 16:00:00 +0000

    Description:
    CISA added a new Chrome bug to its catalog of exploited flaws.

    FULL STORY ======================================================================Google patched a new Chrome bug recently Now, CISA added that vulnerability to KEV, signaling abuse in the wild Federal agencies have three weeks to update
    Chrome

    The US Cybersecurity and Infrastructure Security Agency (CISA) added a new Chrome bug to its Known Exploited Vulnerabilities (KEV) catalog, signalling abuse in the wild, and giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch things up.

    The flaw is tracked as CVE-2025-4664. It was recently discovered by security researchers Solidlab, and is described as an insufficient policy enforcement in Loader in Google Chrome. On NVD, it was explained that the bug allowed remote threat actors to leak cross-origin data via a crafted HTML page.

    "Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource, researcher Vsevolod Kokorin, who was attributed with discovering
    the bug, explained.

    60% off for Techradar readers

    With Aura's parental control software, you can filter, block, and monitor websites and apps, set screen time limits. Parents will also receive breach alerts, Dark Web monitoring, VPN protection, and antivirus.

    Preferred partner ( What does this mean? ) View Deal Time to patch

    The flaw was first uncovered on May 5, with Google coming back with a patch
    on May 14. The browser giant did not discuss if the flaw was being exploited in real-life attacks, but it did state that it had a public exploit (which basically means the same thing).

    Now, with CISA adding the bug to KEV, FCEB agencies have until June 5 to
    patch their Chrome instances or stop using the browser altogether. The first clean versions are 136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS. In many cases, Chrome would deploy the update automatically, so just double-check which version youre running.

    "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.

    Indeed, the web browser is one of the most frequently targeted programs,
    since it handles untrusted data from countless sources around the web. Cybercriminals are always looking for vulnerabilities in browser code, plugins, or poorly secured websites, in an attempt to grab login credentials, or other ways to compromise the wider network.

    Via BleepingComputer You might also like Solar grids could be hijacked and even potentially disabled by these security flaws Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/chrome-patched-this-bug-but-cisa-says-i ts-still-actively-exploited


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)