Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2026-064

DATE(S) ISSUED:

06/30/2026

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Chrome prior to 150.0.7871.46/47 for Windows and MAC
  • Chrome prior to 150.0.7871.46 for Linux

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentHIGH
Businesses:
Large and medium business entitiesHIGH
Small business entitiesHIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

  • Use after free in Extensions (CVE-2026-13774)
  • Use after free in GPU (CVE-2026-13775, CVE-2026-13789, CVE-2026-13831)
  • Type Confusion in Dawn (CVE-2026-13776)
  • Insufficient validation of untrusted input in iOSWeb (CVE-2026-13777)
  • Use after free in WebUSB (CVE-2026-13778)
  • Use after free in Chromoting (CVE-2026-13779, CVE-2026-13787, CVE-2026-13830)
  • Insufficient validation of untrusted input in ANGLE (CVE-2026-13780, CVE-2026-13834)
  • Insufficient validation of untrusted input in Skia (CVE-2026-13781)
  • Use after free in Browser (CVE-2026-13782)
  • Use after free in Views (CVE-2026-13783, CVE-2026-13784, CVE-2026-13802, CVE-2026-13814)
  • Use after free in Bluetooth (CVE-2026-13785)
  • Use after free in Ozone (CVE-2026-13786, CVE-2026-13854, CVE-2026-13855)
  • Use after free in Fullscreen (CVE-2026-13788)
  • Side-channel information leakage in Scroll (CVE-2026-13790)
  • Insufficient validation of untrusted input in Downloads (CVE-2026-13791)
  • Use after free in Touchbar (CVE-2026-13792)
  • Insufficient policy enforcement in SVG (CVE-2026-13793)
  • Insufficient validation of untrusted input in WebAppInstalls (CVE-2026-13794, CVE-2026-13851, CVE-2026-13852)
  • Insufficient policy enforcement in Chrome for iOS (CVE-2026-13795)
  • Integer overflow in Chromecast (CVE-2026-13796, CVE-2026-13801)
  • Insufficient validation of untrusted input in Chromecast (CVE-2026-13797)
  • Heap buffer overflow in Chromecast (CVE-2026-13798)
  • Use after free in QUIC (CVE-2026-13799)
  • Inappropriate implementation in Updater (CVE-2026-13800)
  • Type Confusion in Chrome Tabs (CVE-2026-13803)
  • Use after free in Chromecast (CVE-2026-13804)
  • Use after free in GFX (CVE-2026-13805)
  • Insufficient validation of untrusted input in Accessibility (CVE-2026-13806)
  • Use after free in Import (CVE-2026-13807)
  • Insufficient data validation in Chrome for iOS (CVE-2026-13808)
  • Side-channel information leakage in Safe Browsing. eported by Google on 2026-04-19 (CVE-2026-13809)
  • Inappropriate implementation in Input (CVE-2026-13810)
  • Use after free in IME (CVE-2026-13811)
  • Insufficient validation of untrusted input in Chrome for iOS (CVE-2026-13812, CVE-2026-13813, CVE-2026-13843, CVE-2026-13847, CVE-2026-13850)
  • Use after free in Blink (CVE-2026-13815)
  • Insufficient validation of untrusted input in File Input (CVE-2026-13816)
  • Insufficient validation of untrusted input in Glic (CVE-2026-13817)
  • Inappropriate implementation in Passwords (CVE-2026-13818)
  • Out of bounds read in ANGLE (CVE-2026-13819)
  • Out of bounds read in Skia (CVE-2026-13820)
  • Use after free in Canvas (CVE-2026-13821)
  • Inappropriate implementation in Extensions (CVE-2026-13822)
  • Use after free in Glic (CVE-2026-13823)
  • Insufficient validation of untrusted input in Extensions (CVE-2026-13824)
  • Uninitialized Use in Dawn (CVE-2026-13825)
  • Inappropriate implementation in Autofill (CVE-2026-13826)
  • Use after free in Updater (CVE-2026-13827, CVE-2026-13844)
  • Inappropriate implementation in Enterprise (CVE-2026-13828)
  • Insufficient validation of untrusted input in Settings (CVE-2026-13829)
  • Use after free in Headless (CVE-2026-13832)
  • Uninitialized Use in ANGLE (CVE-2026-13833)
  • Inappropriate implementation in XML (CVE-2026-13835)
  • Inappropriate implementation in CSS (CVE-2026-13836, CVE-2026-13837, CVE-2026-13838, CVE-2026-13839)
  • Insufficient policy enforcement in Canvas (CVE-2026-13840)
  • Integer overflow in Skia (CVE-2026-13841)
  • Incorrect security UI in Chrome for iOS (CVE-2026-13842)
  • Use after free in DOM (CVE-2026-13845)
  • Use after free in USB (CVE-2026-13846)
  • Use after free in Forms (CVE-2026-13848)
  • Insufficient validation of untrusted input in Chromoting (CVE-2026-13849)
  • Use after free in Journeys (CVE-2026-13853)
  • Insufficient validation of untrusted input in Speech (CVE-2026-13856)
  • Inappropriate implementation in Geometry (CVE-2026-13857)
  • Out of bounds read in FFmpeg (CVE-2026-13858)
  • Inappropriate implementation in ANGLE (CVE-2026-13859)
  • Incorrect security UI in Autofill (CVE-2026-13860)
  • Use after free in Core (CVE-2026-13861)
  • Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) (CVE-2026-13862)
  • Insufficient validation of untrusted input in CustomTabs (CVE-2026-13863, CVE-2026-13955)
  • Insufficient policy enforcement in WebHID (CVE-2026-13864)
  • Insufficient validation of untrusted input in Enterprise (CVE-2026-13865, CVE-2026-13928)
  • Insufficient validation of untrusted input in Input (CVE-2026-13866)
  • Inappropriate implementation in Geolocation (CVE-2026-13867, CVE-2026-14002)
  • Inappropriate implementation in Network (CVE-2026-13868, CVE-2026-13876, CVE-2026-14001)
  • Use after free in Device (CVE-2026-13869)
  • Use after free in WebView (CVE-2026-13870)
  • Insufficient data validation in GuestView (CVE-2026-13871)
  • Insufficient validation of untrusted input in WebAppInstalls (CVE-2026-13872)
  • Out of bounds memory access in Layout (CVE-2026-13873)
  • Inappropriate implementation in DataTransfer (CVE-2026-13874, CVE-2026-13944)
  • Insufficient validation of untrusted input in GPU (CVE-2026-13875)
  • Insufficient validation of untrusted input in ANGLE (CVE-2026-13877)
  • Use after free in Bluetooth (CVE-2026-13878, CVE-2026-13879)
  • Use after free in USB (CVE-2026-13880)
  • Insufficient data validation in WebAppInstalls (CVE-2026-13881)
  • Inappropriate implementation in USB (CVE-2026-13882)
  • Type Confusion in ANGLE (CVE-2026-13883)
  • Heap buffer overflow in Chromecast (CVE-2026-13884)
  • Use after free in Skia (CVE-2026-13885)
  • Policy bypass in Isolated Web Apps (CVE-2026-13886)
  • Insufficient policy enforcement in NFC (CVE-2026-13887)
  • Use after free in Extensions (CVE-2026-13888)
  • Insufficient validation of untrusted input in WebAuthentication (CVE-2026-13889)
  • Out of bounds read in Chromecast (CVE-2026-13890)
  • Insufficient validation of untrusted input in Extensions (CVE-2026-13891)
  • Inappropriate implementation in Chrome for iOS (CVE-2026-13892, CVE-2026-13902, CVE-2026-13916, CVE-2026-13981)
  • Insufficient validation of untrusted input in WebUI (CVE-2026-13893)
  • Insufficient policy enforcement in Network (CVE-2026-13894)
  • Inappropriate implementation in Autofill (CVE-2026-13895)
  • Insufficient policy enforcement in Glic (CVE-2026-13896)
  • Insufficient policy enforcement in Chromecast (CVE-2026-13897)
  • Use after free in Cast Receiver (CVE-2026-13898)
  • Use after free in HTML (CVE-2026-13899)
  • Insufficient validation of untrusted input in Chromecast (CVE-2026-13900)
  • Insufficient validation of untrusted input in Serial (CVE-2026-13901)
  • Insufficient policy enforcement in Bluetooth (CVE-2026-13903)
  • Incorrect security UI in Safe Browsing (CVE-2026-13904, CVE-2026-13912)
  • Incorrect security UI in Chrome for iOS (CVE-2026-13905, CVE-2026-13980, CVE-2026-13983)
  • Out of bounds read in Codecs (CVE-2026-13906)
  • Inappropriate implementation in iOSWeb (CVE-2026-13907)
  • Insufficient validation of untrusted input in Omnibox (CVE-2026-13908)
  • Insufficient policy enforcement in DevTools (CVE-2026-13909)
  • Insufficient policy enforcement in WebXR (CVE-2026-13910)
  • Insufficient data validation in Spellcheck (CVE-2026-13911)
  • Insufficient policy enforcement in Autofill (CVE-2026-13913)
  • Inappropriate implementation in Passwords (CVE-2026-13914, CVE-2026-13936, CVE-2026-13960, CVE-2026-14019)
  • Use after free in Chrome for iOS (CVE-2026-13915, CVE-2026-13918)
  • Insufficient validation of untrusted input in Chrome for iOS (CVE-2026-13917, CVE-2026-13991)
  • Insufficient data validation in Extensions (CVE-2026-13919)
  • Insufficient validation of untrusted input in Media (CVE-2026-13920)
  • Insufficient validation of untrusted input in DeviceBoundSessionCredentials (CVE-2026-13921)
  • Side-channel information leakage in Paint (CVE-2026-13922)
  • Uninitialized Use in GPU (CVE-2026-13923, CVE-2026-13950)
  • Insufficient validation of untrusted input in WebView (CVE-2026-13924)
  • Inappropriate implementation in Downloads (CVE-2026-13925)
  • Insufficient validation of untrusted input in Network (CVE-2026-13926, CVE-2026-14022)
  • Insufficient validation of untrusted input in UI (CVE-2026-13927)
  • Insufficient validation of untrusted input in DevTools (CVE-2026-13929, CVE-2026-13961, CVE-2026-13968)
  • Insufficient policy enforcement in Actor (CVE-2026-13930)
  • Inappropriate implementation in Media (CVE-2026-13931)
  • Inappropriate implementation in Sharing (CVE-2026-13932)
  • Insufficient policy enforcement in Passwords (CVE-2026-13933, CVE-2026-13937)
  • Insufficient validation of untrusted input in Dawn (CVE-2026-13934)
  • Side-channel information leakage in ComputePressure (CVE-2026-13935)
  • Integer overflow in Fonts (CVE-2026-13938)
  • Insufficient validation of untrusted input in WebShare (CVE-2026-13939)
  • Uninitialized Use in Cast (CVE-2026-13940)
  • Inappropriate implementation in SiteSettings (CVE-2026-13941)
  • Insufficient validation of untrusted input in Video Capture (CVE-2026-13942)
  • Uninitialized Use in CSS (CVE-2026-13943)
  • Insufficient policy enforcement in Extensions (CVE-2026-13945, CVE-2026-13948, CVE-2026-14003)
  • Inappropriate implementation in ScriptInjections (CVE-2026-13946)
  • Uninitialized Use in XR (CVE-2026-13947)
  • Insufficient policy enforcement in Payments (CVE-2026-13949)
  • Policy bypass in USB (CVE-2026-13951)
  • Inappropriate implementation in PerformanceAPIs (CVE-2026-13952)
  • Inappropriate implementation in SplitView (CVE-2026-13953)
  • Insufficient policy enforcement in XML (CVE-2026-13954)
  • Incorrect security UI in PageInfo (CVE-2026-13956)
  • Incorrect security UI in Extensions (CVE-2026-13957, CVE-2026-13997)
  • Uninitialized Use in Codecs (CVE-2026-13958, CVE-2026-14010)
  • Insufficient validation of untrusted input in Blink (CVE-2026-13959)
  • Insufficient data validation in PDF (CVE-2026-13962)
  • Inappropriate implementation in DevTools (CVE-2026-13963)
  • Insufficient policy enforcement in WebView (CVE-2026-13964)
  • Use after free in Oilpan (CVE-2026-13965)
  • Inappropriate implementation in History (CVE-2026-13966)
  • Type Confusion in V8 (CVE-2026-13967)
  • Uninitialized Use in UI (CVE-2026-13969)
  • Uninitialized Use in Media (CVE-2026-13970)
  • Uninitialized Use in Skia (CVE-2026-13971)
  • Inappropriate implementation in Paint (CVE-2026-13972, CVE-2026-13979, CVE-2026-13988, CVE-2026-14014)
  • Inappropriate implementation in UI (CVE-2026-13973, CVE-2026-13992)
  • Integer overflow in Safe Browsing (CVE-2026-13974)
  • Out of bounds read in ANGLE (CVE-2026-13975)
  • Heap buffer overflow in Storage (CVE-2026-13976)
  • Inappropriate implementation in HTMLParser (CVE-2026-13977)
  • Insufficient policy enforcement in PageInfo (CVE-2026-13978, CVE-2026-13989)
  • Incorrect security UI in Passwords (CVE-2026-13982)
  • Incorrect security UI in TabStrip (CVE-2026-13984)
  • Inappropriate implementation in MediaCapture (CVE-2026-13985)
  • Inappropriate implementation in Media UI (CVE-2026-13986)
  • Incorrect security UI in Mobile (CVE-2026-13987)
  • Insufficient validation of untrusted input in DataTransfer (CVE-2026-13990)
  • Incorrect security UI in WebAppInstalls (CVE-2026-13993)
  • Inappropriate implementation in Credential Management (CVE-2026-13994)
  • Insufficient validation of untrusted input in Autofill (CVE-2026-13995)
  • Incorrect security UI in Permissions (CVE-2026-13996)
  • Incorrect security UI in File Input (CVE-2026-13998)
  • Inappropriate implementation in Extensions (CVE-2026-13999)
  • Inappropriate implementation in XML (CVE-2026-14000)
  • Inappropriate implementation in CSS (CVE-2026-14004)
  • Use after free in Omnibox (CVE-2026-14005)
  • Use after free in Navigation (CVE-2026-14006)
  • Insufficient policy enforcement in PermissionsPolicy (CVE-2026-14007)
  • Uninitialized Use in WebXR (CVE-2026-14008)
  • Insufficient data validation in Passwords (CVE-2026-14009)
  • Out of bounds read in SurfaceCapture (CVE-2026-14011)
  • Side-channel information leakage in CSS (CVE-2026-14012)
  • Inappropriate implementation in SVG (CVE-2026-14013)
  • Inappropriate implementation in WebRTC (CVE-2026-14015)
  • Insufficient policy enforcement in SVG (CVE-2026-14016)
  • Inappropriate implementation in Navigation (CVE-2026-14017)
  • Use after free in Updater (CVE-2026-14018)
  • Insufficient validation of untrusted input in WebXR (CVE-2026-14020)
  • Insufficient validation of untrusted input in StorageAccessAPI (CVE-2026-14021)
  • Insufficient validation of untrusted input in SanitizerAPI (CVE-2026-14023)
  • Use after free in Ozone (CVE-2026-14024)
  •  

Additional lower severity vulnerabilities include:

 

  • Use after free in Views (CVE-2026-14025)
  • Incorrect security UI in SplitView (CVE-2026-14026, CVE-2026-14030, CVE-2026-14072)
  • Use after free in SignIn (CVE-2026-14027)
  • Incorrect security UI in Chrome for iOS (CVE-2026-14028, CVE-2026-14123, CVE-2026-14136)
  • Incorrect security UI in File Input (CVE-2026-14031)
  • Use after free in Bluetooth (CVE-2026-14032)
  • Insufficient policy enforcement in Media (CVE-2026-14033)
  • Inappropriate implementation in WebXR (CVE-2026-14034, CVE-2026-14132)
  • Insufficient policy enforcement in Bluetooth (CVE-2026-14035, CVE-2026-14036)
  • Insufficient policy enforcement in GPU (CVE-2026-14037)
  • Insufficient validation of untrusted input in New Tab Page (CVE-2026-14038)
  • Insufficient policy enforcement in GetUserMedia (CVE-2026-14039)
  • Use after free in BrowserTag (CVE-2026-14040)
  • Insufficient policy enforcement in Serial (CVE-2026-14041)
  • Inappropriate implementation in Isolated Web Apps (CVE-2026-14042)
  • Use after free in GetUserMedia (CVE-2026-14043)
  • Use after free in ANGLE (CVE-2026-14044)
  • Insufficient validation of untrusted input in Network (CVE-2026-14045, CVE-2026-14135)
  • Inappropriate implementation in CustomTabs (CVE-2026-14046)
  • Insufficient policy enforcement in Extensions (CVE-2026-14047, CVE-2026-14053)
  • Use after free in Chromecast (CVE-2026-14048)
  • Inappropriate implementation in GPU (CVE-2026-14049)
  • Insufficient policy enforcement in Passwords (CVE-2026-14050)
  • Uninitialized Use in GamepadAPI (CVE-2026-14051)
  • Insufficient policy enforcement in FileSystem (CVE-2026-14052)
  • Insufficient policy enforcement in Network (CVE-2026-14054)
  • Insufficient validation of untrusted input in Device Trust (CVE-2026-14055)
  • Insufficient validation of untrusted input in Media (CVE-2026-14056)
  • Insufficient policy enforcement in FedCM (CVE-2026-14057)
  • Policy bypass in Parser (CVE-2026-14058)
  • Insufficient policy enforcement in Related-Website-Sets (CVE-2026-14059)
  • Insufficient validation of untrusted input in Chromoting (CVE-2026-14060, CVE-2026-14084)
  • Inappropriate implementation in Dawn (CVE-2026-14061)
  • Inappropriate implementation in Views (CVE-2026-14062)
  • Out of bounds memory access in Chromecast (CVE-2026-14063)
  • Use after free in PageInfo (CVE-2026-14064)
  • Insufficient validation of untrusted input in PageInfo (CVE-2026-14065)
  • Insufficient validation of untrusted input in Chrome for iOS (CVE-2026-14066, CVE-2026-14137)
  • Use after free in Chrome for iOS (CVE-2026-14067, CVE-2026-14099)
  • Inappropriate implementation in Omnibox (CVE-2026-14068)
  • Integer overflow in WebNN (CVE-2026-14069)
  • Uninitialized Use in WebNN (CVE-2026-14070)
  • Side-channel information leakage in WebAudio (CVE-2026-14071)
  • Insufficient policy enforcement in WebXR (CVE-2026-14073)
  • Side-channel information leakage in WebAuthentication (CVE-2026-14074)
  • Policy bypass in Chrome for iOS (CVE-2026-14075)
  • Policy bypass in Network (CVE-2026-14076, CVE-2026-14079)
  • Incorrect security UI in Select (CVE-2026-14077)
  • Policy bypass in WebRTC (CVE-2026-14078)
  • Insufficient validation of untrusted input in TabSwitcher (CVE-2026-14080)
  • Insufficient policy enforcement in DevTools (CVE-2026-14081)
  • Race in Storage (CVE-2026-14082)
  • Insufficient validation of untrusted input in HTML (CVE-2026-14083)
  • Side-channel information leakage in CSS (CVE-2026-14085)
  • Insufficient policy enforcement in HID (CVE-2026-14086)
  • Insufficient validation of untrusted input in WebNN (CVE-2026-14087)
  • Uninitialized Use in Canvas (CVE-2026-14088)
  • Insufficient validation of untrusted input in PopupBlocker (CVE-2026-14089)
  • Out of bounds read in CameraCapture (CVE-2026-14090)
  • Use after free in DevTools (CVE-2026-14091)
  • Insufficient policy enforcement in Privacy (CVE-2026-14092)
  • Use after free in Cast (CVE-2026-14093)
  • Use after free in Installer (CVE-2026-14094)
  • Insufficient validation of untrusted input in Browser (CVE-2026-14095)
  • Object lifecycle issue in Input (CVE-2026-14096)
  • Inappropriate implementation in WebAppInstalls (CVE-2026-14097, CVE-2026-14114, CVE-2026-14138)
  • Inappropriate implementation in CSS (CVE-2026-14098, CVE-2026-14145, CVE-2026-14146, CVE-2026-14147)
  • Insufficient data validation in NetworkCache (CVE-2026-14100)
  • Insufficient policy enforcement in Sandbox (CVE-2026-14101)
  • Use after free in Passwords (CVE-2026-14102)
  • Use after free in SSL (CVE-2026-14103)
  • Insufficient validation of untrusted input in WebAppInstalls (CVE-2026-14104, CVE-2026-14122, CVE-2026-14131)
  • Insufficient policy enforcement in Speech (CVE-2026-14105)
  • Insufficient validation of untrusted input in Text (CVE-2026-14106)
  • Use after free in Scheduling (CVE-2026-14107)
  • Use after free in PDFium (CVE-2026-14108)
  • Insufficient policy enforcement in Mojo (CVE-2026-14109)
  • Inappropriate implementation in DarkMode (CVE-2026-14110)
  • Use after free in WebProtect (CVE-2026-14111)
  • Inappropriate implementation in Enterprise (CVE-2026-14112)
  • Use after free in Updater (CVE-2026-14113)
  • Insufficient validation of untrusted input in Cast (CVE-2026-14115)
  • Insufficient validation of untrusted input in DevTools (CVE-2026-14116, CVE-2026-14117)
  • Insufficient data validation in DevTools (CVE-2026-14118)
  • Type Confusion in Bluetooth (CVE-2026-14119)
  • Inappropriate implementation in DevTools (CVE-2026-14120, CVE-2026-14154)
  • Use after free in Chromoting (CVE-2026-14121)
  • Inappropriate implementation in CredentialProvider (CVE-2026-14124)
  • Uninitialized Use in ANGLE (CVE-2026-14125)
  • Incorrect security UI in UI (CVE-2026-14126)
  • Inappropriate implementation in Printing (CVE-2026-14127)
  • Insufficient data validation in Chrome for iOS (CVE-2026-14128)
  • Incorrect security UI in PreviewTab (CVE-2026-14129)
  • Incorrect security UI in Omnibox (CVE-2026-14130)
  • Race in History Embeddings (CVE-2026-14133)
  • Inappropriate implementation in Autofill (CVE-2026-14134)
  • Inappropriate implementation in TabStrip (CVE-2026-14139)
  • Insufficient validation of untrusted input in Input (CVE-2026-14140)
  • Incorrect security UI in Document Picture-in-Picture (CVE-2026-14141)
  • Inappropriate implementation in Extensions (CVE-2026-14142)
  • Incorrect security UI in Passwords (CVE-2026-14143)
  • Incorrect security UI in Views (CVE-2026-14144)
  • Type Confusion in CSS (CVE-2026-14148)
  • Use after free in Audio (CVE-2026-14149)
  • Insufficient validation of untrusted input in Speech (CVE-2026-14150)
  • Inappropriate implementation in AI (CVE-2026-14151)
  • Out of bounds write in ANGLE (CVE-2026-14152)
  • Inappropriate implementation in Glic (CVE-2026-14153)
  • Insufficient policy enforcement in StorageAccessAPI (CVE-2026-14155)
  • Policy bypass in StorageAccessAPI (CVE-2026-14156)


Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

 

  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

 

  • Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)

 

  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

 

  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

 

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.​​

REFERENCES:

CVE

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories