What is the Issue?
Chrome’s security team described the issue as the web browser’s incorrect handling of CSP headers (CVE-2018-6148).
They noted on their blog – “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
Why is this noteworthy?
The Content Security Policy (CSP) header allows website administrators to add an extra layer of security on a given web page by allowing them to control the resources that the browser is allowed to load.
Mishandling of CSP headers by your web browser could re-enable attackers to perform cross-site scripting, clickjacking and other types of code injection attacks on any targeted web pages.
What is the exposure or risk?
Content Security Policy (CSP) is a computer security standard introduced to prevent code injection attacks resulting from execution of malicious content in the trusted web page context. A website can declare multiple CSP headers, and each is processed separately by the browser. Mishandling of these CSP headers can lead to code injection attacks like cross-site scripting and SQL injection attacks.
The result of successful code injection attacks can be disastrous, for example – allowing propagation of computer worms, causing data loss or corruption, lack of accountability, or denial of access, complete host takeover, and /or privilege escalation to root permissions by exploiting Shell Injection vulnerabilities.
What are the recommendations?
Update the Chrome browser on your systems to the latest version ASAP.
For Windows, Mac, and Linux, the stable channel has been updated to 67.0.3396.79, which will roll out over the coming days/weeks.
For most Chrome OS devices, the Stable channel has been updated to 67.0.3396.78 (Platform version: 10575.54.0). This build contains a number of bug fixes and security updates. Systems will be receiving updates over the next several days.
If you have any questions, please contact our Security Operations Center.