These new flaws underscore the reason why browser engines remain among the most attractive targets for attackers, noted Jack Bicer, director of vulnerability research at Action1. “With active exploitation already confirmed, organizations that delay updates risk exposing users to drive-by attacks delivered through compromised or malicious websites.”
Chromium and all Chromium-based browsers, including Chrome, Edge, and others, must be updated to the latest security versions as soon as possible, he said. Admins should also ensure that automatic updates are enabled across enterprise endpoints, monitor for outdated browser versions, and consider browser isolation technologies to reduce exposure to web-based attacks.
Scott Caveza, senior staff research engineer at Tenable, agreed that the latest two zero days should be on the radar of any organization where Chrome is actively installed. While Google hasn’t provided details on the abuse of these flaws, he noted that most browser-related exploits do require a victim to visit a crafted website, making attacks more likely to be targeted.
