Google fails to patch Chrome browser bug -- Microsoft Windows users at risk of scams
Many people use Google Chrome, and rightfully so. The cross-platform web browser works brilliantly, and is super-fast. Plus, the search-giant's browser is very secure too, right? Not so fast...
Today, Sophos drops a bombshell by revealing that scammers are actively targeting Chrome users by leveraging a bug. These bad guys pose as Microsoft tech support and display an in-browser message that says the user's computer is infected with "Virus Trojan.worm! 055BCCAC9FEC". To make matters worse, Google has apparently known about the exploit for more than two years and simply failed to patch it.
"Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware. The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question. The developer who reported the issue published code showing how to add so many items into Chrome’s history list that the browser would effectively freeze", says Sophos.
The company further says, "beating the attack isn't hard. Users can either close Chrome using the Task Manager or, in cases where the browser is using up so much processor power that Task Manager doesn’t appear, by rebooting the computer. The chances of encountering this particular scam are small -- it's only been spotted on a single website -- but its existence underlines how small bugs that don’t seem terribly important may nevertheless be abused by cyercriminals down the line".
Sophos shares the full fake message below. Remember, the computer is not really infected, scammers are trying to trick the user.
Microsoft Identification-Malware infected website visited. Malicious data transferred to system from unauthorized access. System Registry files may be changed and can be used for unethical activities.
System has been infected by Virus Trojan.worm! 055BCCAC9FEC -- Personal information (Bank Details, Credit Cards and Account Password) may be stolen.
While all Chrome users are at risk, the scammers are currently pretending to be Microsoft tech support, making Windows users the real at-risk people. In other words, this scam would not likely be effective on users of macOS or Linux-based operating systems. Still, scammers could alter the scheme to target other operating systems too.
Even though the risk is rather low, Google still owes it to all its Chrome users to have a safe and secure browser with a focus on security. Ignoring a bug for two years is simply unacceptable. Hopefully the company patches the 2014 bug soon.
Does this lower your confidence in the overall safety of Google Chrome? Tell me in the comments.
Photo credit: Kakigori Studio/ Shutterstock