Chrome and Edge browser Windows security bypass uncovered.
It is no secret that Google’s Chrome browser is beseiged by security vulnerabilities. The good news is that the vast majority of these vulnerabilities are discovered and disclosed by security researchers, including Google’s own Threat Analysis Group, well before any attacker can exploit them. However, that’s not always the case, as evidenced by numerous emergency browser security updates in response to confirmed zero-day vulnerabilities. What is less well known, especially amongst the large non-techie user base, is that Edge is built around the Chromium engine, so many of the same vulnerabilities impact it, and them. Given that another security issue has just emerged, and both Chrome and Edge users are at risk from it, in this case, a Windows security protection bypass, you might be asking if it is time to quit using both and find something else. Here’s what you need to know.
The FileFix Windows Security Issue Putting Chrome And Edge Users At Risk
I first warned Forbes readers of the threat from something called a ClickFix attack in December 2024, and more recently reiterated that warning after Google issued a security alert in May.bNow, a new threat, called FileFix, has been discovered, and it’s coming for your Chrome and Edge browsers if you are a Windows user.
Penetration tester and security researcher, mr.d0x, first discovered FileFix on June 23, but has now published details of a new variation that is of concern to all Windows browser users. This new attack threat exploits the way that both Chrome and Edge deal with saving web pages, and can bypass the Microsoft Windows security feature known as Mark of the Web. It does this by bringing together those browser web page saving methods and something known as HTML Application execution. In other words, FileFix can now bypass the Windows MotW security function by exploiting the way in which browsers save HTML pages.
The good news is that to pull off this latest FileFix exploit, an attacker would first need to persuade the victim into saving an HTML web page and then renaming it as an .HTA file in order to auto-execute the embedded JScript that does the actual damage. If that all sounds a little long-winded, that’s because it is. However, don’t be fooled, social engineering, or phishing if you prefer, can persuade normally sensible people into doing the most unlikely of things. The original ClickFix attacks, for example, asked users who were presented with a fake captcha test to open a Windows run dialog and enter commands to execute the exploit. That sounds unlikely, right? Yet enough people did just that for ClickFix to make the headlines and for the biggest of vendors to issue warnings to users.
Is It Time For Windows Users To Abandon Chrome And Edge?
The short answer to the question posed in the above sub-heading is: is it heck as like. For those of you not living in the Yorkshire countryside in England, that means no. The continuing deluge of vulnerabilities that impact Chrome and Edge and are disclosed month after month, sometimes week after week, is a good thing. How so? Because, for the most part, these vulnerabilities are being discovered before threat actors know about them, and browsers are updated to protect against them before they can attack. The odd few zero-days that emerge are dealt with as quickly as they can be. The point is, it’s better the devil you know when it comes to security vulnerabilities. There are plenty of other reasons why you might want to change, those based around privacy concerns or dislike of certain vendors, but security vulnerability exposure isn’t on my list.
I have reached out to Google and Microsoft regarding the latest FileFix exploit affecting Windows users.