The United States Computer Emergency Readiness Team (US-CERT), a division of the US Government's Department of Homeland Security, has issued two separate warnings urging users to update both Google Chrome and Microsoft Windows.
US-CERT said the 'Chrome OS version 60.0.3112.80 update' addresses multiple vulnerabilities within the browser.
“Exploitation of one these vulnerabilities could allow a remote attacker to take control of an affected system,” it warned.
Google labelled the update, which contains a number of “bug fixes, security updates and feature enhancements,” as “critical”.
Information on the Google blog lists the update as fixing the ‘BroadPwn security bug’ but declines to go into detail. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
There is no mention on the Google blog that the update could allow a hacker to take control of a user’s system.
Meanwhile, a vulnerability within Microsoft Windows that automatically executes code specified in shortcut links means an attacker “may be able to execute arbitrary code with the privileges of the user,” which can also happen automatically by connecting a USB device.
Microsoft Windows is the dominant installed operating system on computers sold to consumers.
Users are urged to install Microsoft Update for CVE-2017-8464 and block various outgoing connection ports at the network perimeter to “prevent machines on the local network from connecting to SMB servers on the internet,” adding that “while this does not remove the vulnerability, it does block an attack vector for this and other vulnerabilities.”