- Chrome ya ƙayyadaddun kwanakin sifili masu mahimmanci kamar CVE-2025-6558 (ANGLE/GPU) da CVE-2025-5419 (V8), duka biyun ana amfani da su sosai.
- Sabuntawa zuwa 138.0.7204.157/.158 (Windows/macOS) da 138.0.7204.157 (Linux); versions 137.x kafaffen V8.
- Abubuwan da ake amfani da su suna jagorantar samun damar farko; ƙarfafa Zero Trust da Sigma/ATT&CK ganowa don rage taga na fallasa.
- Yaƙin neman zaɓe kamar Operation ForumTroll yana haɗa phishing da amfani; suna amfani da matsananciyar tabbatarwar hanyar haɗin gwiwa da saurin faci.
Takin da manyan lahani ke fitowa yana ci gaba da wanzuwa ba tare da katsewa ba, kuma mafi yawan mashigin yanar gizo a duniya ya sake kasancewa tsakiyar tattaunawa. Chrome dole ne ya mayar da martani tare da facin gaggawa ga sabbin lahani waɗanda aka riga aka yi amfani da su sosai: la Ingantacciyar kariya ta kwana-kwana.
A cikin 'yan makonnin nan, an ba da gargaɗi da yawa masu dacewa: daga a Gudun Sandbox ta hanyar ANGLE/GPU (CVE-2025-6558) zuwa wani muhimmin batu a cikin injin V8 JavaScript (CVE-2025-5419), ta hanyar yin amfani da aka danganta ga yakin leƙen asiri (CVE-2025-2783). Duk wannan, a cikin mahallin inda Abubuwan da ake amfani da su suna ci gaba da jagorantar samun dama ta farko a cikin kutse kuma an ba da rahoton an yi amfani da kwanaki da yawa a cikin 2024 da 2025.
Bayani: Tashi na kwanaki sifili da matsin lamba akan masu bincike
Bayanan sun tabbatar da abin da yawancin ƙungiyoyin tsaro ke fuskanta a kullum: Amfani da sifili na kwana yana karuwa tsawon shekaru da yawa.Theungiyar Leken asirin Barazana ta Google ta yi rikodin 75 da suka yi amfani da rashin ƙarfi na kwana na sifili a cikin 2024, wanda ke nuna cewa kasuwar cin gajiyar da sarƙoƙin kai hari suna ci gaba da haɓaka.
A cikin 2025, cin zarafi na ci gaba da mamayewa azaman farkon shigarwar vector a cikin abubuwan da suka faru, wakiltar a kusa da 33% na kutsawa vectors lura. Ga masu karewa, wannan yana fassara zuwa ƙaramin ɗaki don motsa jiki da ƙarin buƙatu don ganowa da amsa cikin sauri, musamman a cikin mahimman abubuwan kamar masu bincike.
Hasken watsa labarai ya kasance akan Chrome, amma yana da mahimmanci kada a rasa hangen nesa mafi girman mahallin, gami da sabbin masu bincike kamar su. Buɗe AI browser, kuma Wasu mahimman fasahohin kuma sun sami gazawa mai mahimmanci, kamar FortiWeb aikace-aikacen tacewar zaɓi (CVE-2025-25257). Maƙasudin saƙon a bayyane yake: maharan suna cin gajiyar kowane muhimmin sashi na saman harin.
Wannan yanayin yana buƙatar masu samarwa da ƙungiyoyi su haɓaka ƙarfin mayar da martani. Ingantattun Kariyar Ranar Sifili ya wuce matakin taka tsantsan; lallai larura ce.
CVE-2025-6558: Gudun Sandbox ta ANGLE/GPU
Tare da ingantacciyar kariyar ranar sifili a zuciya, Google ya fitar da faci don lahani da yawa a cikin Chrome kuma ya tabbatar da hakan. CVE-2025-6558 ana amfani da shi sosaiWannan aibi yana bawa maharin nesa damar ketare akwatin bincike tare da ƙera shafin HTML ta hanyar amfani da shigar da ba daidai ba a cikin abubuwan da ba a yarda da su ba. ANGLE da GPU.
Me yasa yake da wayo? ANGLE shine fassarar fassarar tsakanin injin ma'ana da direbobin zane na tsarin. Idan ana sarrafa hulɗa tare da GPU a ƙaramin matakin, Za a iya buɗe hanyoyin gujewa keɓewar mai lilo kuma ana iya lalata albarkatun tsarin mai masaukin baki. Ga mai amfani, wannan yana nufin cewa kawai ziyartar gidan yanar gizon mugunta na iya haifar da sulhu mai zurfi.
Ko da yake Google bai ba da cikakkun bayanai na fasaha game da cin gajiyar ba, ya nuna yadda ake amfani da shi a cikin al'amuran duniya na gaske kuma ya yi nuni da hakan. yiwuwar ayyukan ƙwararrun ƴan wasan kwaikwayoWaɗannan nau'ikan raunin suna da kyau musamman ga yaƙin neman zaɓe da leƙen asiri.
A matsayin rage gaggawa, Google yana ba da shawarar ɗaukakawa Chrome zuwa sigar 138.0.7204.157/.158 akan Windows da macOS, y a la 138.0.7204.157 akan LinuxIdan kuna amfani da masu bincike na tushen Chromium (Edge, Brave, Opera, Vivaldi, da sauransu), yi amfani da sabuntawar da aka samar muku da wuri-wuri kuma kimantawa. madadin ArcA yawancin lokuta, rufewa da sake buɗe Chrome bayan zazzage facin ya wadatar.
Faci iri ɗaya ya magance sauran kurakuran da suka dace da saninsu, tunda abokin gaba na iya sarkar raunin rauni don ƙara tasiri:
- CVE-2025-6554: Kuskuren shirye-shirye mai iya haifar da gazawar ƙwaƙwalwar ajiya da yuwuwar aiwatar da lambar nesa.
- CVE-2025-6555: yana shafar injin JavaScript; ana iya amfani da shi don aiwatar da umarni masu haɗari.
- CVE-2025-6556Rubuce-rubucen da ba ta da iyaka wanda ke ba da damar gidajen yanar gizo masu ƙeta su canza wuraren ƙwaƙwalwar ajiya mara izini.
- CVE-2025-6557: Batu a cikin Mojo (sadarwar tsakanin-tsari) wanda zai iya sauƙaƙe al'amuran zagi.
- CVE-2025-6558: tseren akwatin sandbox na ANGLE/GPU da aka ambata.
- CVE-2025-6559: yanayin daidaitawa a cikin tsarin zane tare da tasirin rashin amfani.
Yadda ake sabunta Google Chrome lafiya
Kodayake Chrome yawanci yana sabunta kansa, yana da kyau a bincika da hannu idan akwai sanarwar gaggawa. A kan tebur, je zuwa Menu> Taimako> Game da Google ChromeIdan sigar tana jiran, mai binciken zai zazzage shi ya shigar da shi kuma ya sa ka sake farawa don amfani da facin.
Don rufewa akan CVE-2025-6558 da sauran sabbin fakitin, Tabbatar cewa kuna da 138.0.7204.157/.158 akan Windows da macOS, kuma 138.0.7204.157 akan LinuxA yawancin lokuta, rufewa da sake buɗe Chrome bayan saukarwar facin ya wadatar; idan ba haka ba, tilasta sake kunna shi.
Idan kuna sarrafa mahallin kamfani, ƙarfafa sarrafawa: tsarin sabuntawa ta atomatik da kulawa, bita na lokaci-lokaci na nau'ikan da aka tura, da sanarwa ga masu amfani don sake farawa kamar yadda ya dace. Jinkirin ƴan kwanaki a kunna Ingantacciyar Kariyar Ranar Zero na iya yin kowane bambanci a fuskantar harin damammaki.
Kuma ba shakka, idan kuna amfani da Edge, Brave, Opera ko wasu masu bincike na tushen Chromium, Kula da tsayayyen tashoshiDillalai yawanci suna sakin facin nasu a daidaita tare da ko jim kaɗan bayan Chrome's.
A layi daya, kunna kuma tabbatar da sarrafa rage tsarin aiki (ASLR, DEP, Control Flow Guard…) da kuma manufofin tauraro da aka bayar ta ƙarshen ƙarshenku, tun da Waɗannan yadudduka na iya kwantar da amfani yayin da madaidaicin faci ya zo.
CVE-2025-5419: Daga-iyaki karanta/rubutu a cikin V8
Wani muhimmin faɗakarwa na kwanan nan shine CVE-2025-5419, babban rashin lahani a cikin injin V8 JavaScript/WebAssembly. Yana ba da damar karatu da rubutu a waje da iyakokin ƙwaƙwalwar ajiya, wanda ke buɗe ƙofar zuwa ɓarna na ƙwaƙwalwar ajiya da yiwuwar aiwatar da code.
Masu bincike daga Google's Threat Analysis Group (TAG) sun gano wannan batu, kuma a matsayin martani ga yadda ake amfani da shi, kamfanin ya ba da amsa a matakai biyu: Na farko, ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun ƙayyadaddun tashoshi, sannan faci na hukuma. Siffofin da aka gyara sun kasance 137.0.7151.68/.69 en Windows y macOS, kuma 137.0.7151.68 akan Linux.
Dangane da yanayin fasaha, an bayyana shi a matsayin mai yiwuwa type confusion a cikin V8, inda yadda injin ke fassara abubuwan da ke cikin ƙwaƙwalwar ajiya na iya haifar da jihohi masu haɗari. Google ya zaɓi don bayanan fasaha an tanada har sai an riga an kiyaye yawancin kaso na masu amfani, da kuma gujewa cutar da dakunan karatu na ɓangare na uku idan ba a buɗe su ba.
CVE-2025-2783 da kuma "Operation ForumTroll" yaƙin neman zaɓe
A cikin Maris an yi faci gudun hijira (CVE-2025-2783) ana amfani da su wajen tura malware a cikin hare-haren leken asiri kan kafofin yada labaran Rasha da hukumomin gwamnati, a cewar majiyoyi daban-daban. Watanni bayan haka, wani rauni ya ba da damar yin lalata da asusun mai amfani a ƙarƙashin takamaiman yanayi, yana nuna hakan ’Yan wasan kwaikwayo sun haɗu da injiniyan zamantakewa da lahani na burauza.
Binciken Kaspersky yayi cikakken bayanin abin da ake kira Operation ForumTroll, yaƙin neman zaɓe da ke kwaikwayi taron duniya Primakov Readings. Imel ɗin na yaudara ya haɗa da hanyoyin haɗin kai zuwa shirin taron da rajista, amma turawa zuwa gidajen yanar gizo na karya wanda idan aka ziyarta tare da Chrome ko Chromium browsers, ya sa na'urar ta zama kusan kamuwa da cuta ta atomatik.
Kaspersky ya nuna cewa amfani hanyoyin kariya na sandbox don cimma tsayin daka da satar bayanai, tare da mai da hankali na musamman ga 'yan jarida, ma'aikatan ilimi, da wakilan kafofin watsa labarai a Rasha. Yana da kyau tunatarwa cewa kawai buɗe shafin qeta ta yadda za a kunna sarkar amfani idan akwai sifili-rana.
Kodayake vector na farko shine phishing, maɓalli shine cewa amfani da mashigar mashigar baya buƙatar ƙarin hulɗa da ya wuce ziyarar. Wannan samfurin harin yana rage juzu'i kuma yana ƙara ƙimar nasara, don haka gaggawar yin amfani da ingantaccen kariya ta kwana-kwana da rage faɗuwar fallasa.
Ingantacciyar kariya ta kwana-sifili: ganowa, amintaccen sifili, da amsawa
Bayan “patching da wuri-wuri,” akwai matakan da ke ƙara juriya ga irin waɗannan abubuwan da suka faru. Na farko, na'ura mai kwakwalwa da kuma gano tushen hali waɗanda ke taimakawa gano abubuwan da ba su da amfani (misali, ayyukan aiwatar da sabon abu, sanannun sarƙoƙi masu amfani, ko cin zarafin IPC kamar Mojo).
Idan muka yi magana game da Ingantaccen Kariyar Ranar Zero, ƙungiyar ganowa ta ba da shawarar cinyewa Dokokin Sigma da abun cikin farauta CVE-lakabin, taswira zuwa MITER ATT&CK, kuma mai yarda da shi Dubban SIEM, EDR, da tsarin tafkin bayanaiDabarun dandamali na musamman suna ba da kasuwa tare da ɗaruruwan dubunnan dokoki da aka sabunta kullun kuma an wadatar da su da bayanan AI na asali, don kare kai tsaye daga barazanar da ke fitowa.
Sanannen shawara shine Uncoder AI, wani kwafi na AI don gano aikin injiniya wanda ke hanzarta haɓakar haɓakar Dokokin Roota da Sigma, yana canza bayanan sirrin barazana zuwa dabaru na aiki, takardu da kuma sabunta lamba, da tallafi Harsunan tambaya 56Hakanan yana ba da damar ƙirƙirar Taswirar Attack tare da taswirar ATT&CK ta amfani da AI / ML don samar da tallafi na ƙarshe zuwa ƙarshen injiniyoyin ganowa.
A matsayin wani ɓangare na tarin tsaro, wasu ɗakunan ajiya sun haɗa da maɓalli ko ma'ajiya na Bincika Abubuwan Ganewa don samun damar tabbatar da abun ciki nan take, gami da hanyoyin haɗin yanar gizo na CTI, lokutan hare-hare, tantancewar daidaitawa, da shawarwarin rarrabewa. Haɗa wannan abun cikin cikin bututun gano ku. yana rage matsakaicin lokacin amsawa yaƙi da yaƙin neman zaɓe da ke cin gajiyar kwanaki.
Dangane da gine-gine, yana ƙarfafa dabarun zero trust: rarrabuwar cibiyar sadarwa, mafi ƙarancin gata akan wuraren ƙarshe, sarrafa aikace-aikacen, da keɓewar matakai masu mahimmanci. Waɗannan yadudduka ba za su hana faruwar ranar sifili ba, amma rage tasiri radius kuma yana da wahala a haɓaka gata bayan an daidaita mashigar mashigar farko.
A ƙarshe, kula da ƙayyadaddun hanyoyin faci na gaggawa: lissafin rarraba don sanarwar tsaro, lissafin nau'ikan da aka tura, da kuma agile kula windows don masu bincike. A cikin yaƙin neman zaɓe kamar waɗanda aka bayyana, rage lokutan fallasa na iya kauce wa alkawurra a gran escala.
Hoton da waɗannan raunin raunin ya zana ba shi da kyau: mai bincike shine hanyar shigar da dabaru, kuma maharan sun san shi. Ingantattun kariyar sifili yana da mahimmanci: Tare da saurin faci, mafi kyawun ayyuka na amana, da kuma gano shirye-shiryen samarwa, Kuna iya tafiya daga wasa na tsaro zuwa yanke sarƙoƙi masu tayar da hankali kafin su haɓaka.
Edita ya ƙware a fannin fasaha da al'amuran intanet tare da gogewa fiye da shekaru goma a cikin kafofin watsa labaru na dijital daban-daban. Na yi aiki a matsayin edita da mahaliccin abun ciki don kasuwancin e-commerce, sadarwa, tallan kan layi da kamfanonin talla. Na kuma yi rubutu a shafukan yanar gizo na tattalin arziki, kudi da sauran fannoni. Aikina kuma shine sha'awata. Yanzu, ta hanyar labarai na a ciki Tecnobits, Ina ƙoƙarin bincika duk labarai da sababbin damar da duniyar fasahar ke ba mu kowace rana don inganta rayuwarmu.