On May 23rd, a security researcher reported a vulnerability in the Chrome Desktop Browser (Pre-Version 67.0.3396.79) that allows for the mishandling of the Content Security Policy (CSP) header. The CSP header allows website developers to implement a 2nd layer of security on their websites to prevent possible malicious activity. The vulnerability bypasses the SECURITY_CHECK in Chrome, allowing possible cross-site scripting, clickjacking, and varying types of code injection attacks against vulnerable users browsing affected websites.
Chrome released a patch on June 05 fixing the vulnerability and raising the version to 67.0.3396.79. Chrome has reserved CVE-2018-6148 for the vulnerability but is restricting details surrounding the bug until the majority of Chrome users have been updated to prevent threat actors from exploiting the vulnerability.
The Proficio Threat Intelligence Recommendations:
- Update Chrome to the latest version
- Always make sure to stay up to date on application updates and security patches