3

In the case of phishing training, most training will say "don't click the link, you can get hacked!"

If there was an exploit that could bypass the chrome sandbox on an up-to-date verison of chrome, would that person realistically target an employee at a regional insurance provider or some other non fortune 100 company? Seems like exploits of that magnitude would be rare, and highly valuable.

Obviously, a hacker can get some pieces of information about your PC and correlate those with your email, but besides that, what can they really do if you don't click or fill out information, etc.

Eizooz
  • 31
  • 1
  • 1
    You've described a "drive by download": https://security.stackexchange.com/questions/135583/how-does-drive-by-downloads-work-and-what-does-a-browser-being-secure-actuall – schroeder Oct 29 '20 at 20:07
  • @schroeder Argh, I'm rusty. Obviously should've expected to find a suitable duplicate target for this one. – Arminius Oct 29 '20 at 20:09

1 Answers1

0

Seems like exploits of that magnitude would be rare, and highly valuable.

True, 0-day exploits are expensive, especially for browsers (and mobile devices). It likely doesn't make economic sense for an attacker to buy and burn one on a minor target.

However:

  • Can you guarantee you're always running the latest update? Even if yes, there may still be a patch gap.

    A good example is the recent Chrome security update from just a week ago. It fixes CVE-2020-15999 which had already been actively exploited before the patch.

    Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh

    (@benhawkes, 9:49 PM · Oct 20, 2020)

    Now it's much cheaper (and common practice) to reverse-engineer the security patch and develop an exploit against users who didn't update yet. As ZDNet notes:

    The finer details about CVE-2020-15999 active exploitation attempts have not been made public. [...]

    However, since the patch for this zero-day is visible in the source code of FreeType, an open source project, it's expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks.

    (Source)

  • They may not target your browser, but a web application or browser extension.

    An attacker may have discovered or acquired a vulnerability in a password manager extension, or, possibly, an XSS vulnerability in a web application your company is using. This could be the web interface of your internal email server, a workspace app, an intranet bug tracker, etc. Exploits like these can often be triggered just by following a prepared link, and don't require additional user interaction.

Arminius
  • 43,922
  • 13
  • 140
  • 136