Welcome to tech Stuff, a production from iHeartRadio. Heydarren, Welcome to tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with iHeartRadio. And how the tech are you? So this morning I woke up to a text message from a radio station in Alabama. I have frequently been on that station talking about tech stuff in general, and they were asking if I would be willing to jump on the air this morning to talk about how some Google Chrome news was unfolding, specifically that Google discovered a zero day vulnerability within Chrome that could potentially compromise users, like upwards of three billion of them. So today I thought I would talk a little bit about what a zero day vulnerability is, touch on a little bit of terminology used in the information security sector to kind of demystify a bit of it and to help folks like me wrap our minds around the whole thing. Now, for those of y'all who are neck deep in computer security fields, you're going to know all of this already. This is sort of a one oh one of what zero day vulnerabilities are all about. So let's define that. Because zero day vulnerability, zero day exploit, zero day attack. These terms seem to mean something, but you don't necessarily understand it when you first see it. Essentially, it's describing a situation in which there is something exploitable within some sort of technical system. This system can be software, it can be hardware, and this vulnerability exists within the system, and the people who should be on the lookout for that kind of thing are unaware of it. So, in other words, the company behind the system doesn't know that the vulnerability the exists. The security community at large doesn't know that this vulnerability exists, but it's there. So if you think about it, think of it in physical terms. Let's think about like a giant security wall that goes around your home, and it turns out there's a gap in the wall, but it's behind some shrubs and stuff, and you just haven't gone back there, and you haven't noticed it. You don't even know there's a gap there. Well, that gap obviously shows that there's a hole in your security and you just aren't aware of it. But if someone else is aware of it, they could exploit that without your awareness and potentially cause a lot of damage. And if they're very clever, they can cause a lot of damage. Over an extended amount of time, as long as they don't make you aware that that hole is there. That's kind of the idea here. It's partly called a zero day vulnerability because the entity behind the product has had zero days to fix it before someone's figure out a way to exploit it. In other words, you can't really fix a problem if you don't know that there is a problem there. Right again, if you look out and you don't see the hole in the wall because it's being obscured by something else, then you don't know that there's a problem to fix. You just assume everything's fine, and it's not until some other signs pop up that suggests that it's not fine, that you start looking, and then maybe you uncover it. At that point you could argue, all right, well, now it's no longer zero day because we found it and we can do something about it. But the gap of time between when the problem first manifested and when you've found out about it that represents the target of opportunity for this in the case of computer security hackers. So let's give an example with Google Chrome. Google makes the Chrome web browser, engineers create an update for the browser, and in the process. There is a gap in the browser's security. It's unintentional. It was not put there on purpose. It just sort of happens because this is complicated stuff. So the engineers didn't detect the gap. They pushed it through, and the update goes through the entire development process, and then Google deploys the update. They roll it out, and people start to update their browsers or the browser gets updated upon a reboot or something, and thus the update gets installed, and now the security gap is affecting those machines because they actually have that version of Chrome in place. Now in the wild, hackers are also scouring Chrome, but they're looking for these vulnerabilities. They're probing the code, looking for weaknesses where they can exploit those weaknesses. It might mean creating some specific types of malware or some sort of process that will initiate a sequence that allows them to exploit the vulnerability. So it may you know, it takes more than just finding there's a vulnerability there. You have to figure out a way to exploit it. But these are all things that hackers do on the rag. So they find this gap, then they scramble to develop the tools that can take advantage of this gap. Then they deploy those tools, perhaps doing so very quietly in an effort to extend the amount of time that they have to exploit this vulnerability before Google or some computer security expert from somewhere else finds this gap and then alerts everybody to it. The hackers do their best to use the gap to do whatever it is they want to do, depending upon the nature of the gap, that could include anything from spying on computer activity on a compropised machine to forcing a computer to execute malicious code remote code execution in other words, And really it just depends upon the nature of the vulnerability and the nature of the malware being developed, so there are lots of different possibilities there. So when we the general public hear about a zero day vulnerability, it's kind of like hearing about something that was a zero day vulnerability but now kind of isn't because it's now not just the hackers who know about it. Now, there might not be much we can do about it at the time. But often when we hear about zero day vulnerabilities for the first time, it comes along with a solution that's being rolled out at the same time. Because companies that are hit by this sort of stuff. If they can hold on to that information until they have a solution, they typically will because otherwise you're panicking people and you have no way to fix things. Right. So it may be that when you hear about this vulnerability, it's the same time when you hear about a patch, a security patch that's been rolled out that you can update your device to. Typically we see a very fast response to the discovery. Sometimes the response we see is in other areas of cybersecurity, for example, antivirus software creators. They might come up with tools to help detect and prevent applications that have been hit by zero day vulnerabilities to do malicious activity on your machine, and in the meantime, you're still waiting for the creator of the root problem to roll out a patch. That often can be the case too companies will patch their products. So Google, for example, pushed out a patch for this most recent vulnerability already, which, by the way, is where I need to point out to all of you that if you use Google Chrome, you should check to see if it's up to date, just to protect yourself. If you're wondering how to do that. In the upper right corner of Google Chrome, they're the little three dots. If you click on that, it brings up settings, like you can choose settings from a drop down menu, and then from the next menu that pops up, you look at about Chrome and it will have a little button there that lets you update your browser at that point, and you should click on that make sure your browser is up to date and patched so that you are not going to be victimized by this type of vulnerability. Now, sometimes hackers will even know about vulnerabilities and code before the code gets released. So imagine for a moment that you are a black hat hacker. Your job is to try and find vulnerabilities in various systems and platforms and then figure out ways to exploit them. So you are an expert in penetrating systems, and maybe you're on the payroll of a nation state. Maybe you know Russia or China is paying you to do this, or maybe you work in the United States for one of those organizations that goes by initials all the time, like the NSSA, because they do this too. So information is a precious resource and access to information is your specialty as this kind of hacker, So you dedicate your time to gaining access to developer platforms on the QT so that you can look at code while it's still in development. Maybe you start probing this code for vulnerabilities well before it gets rolled out to the public. Now, if you're lucky and you're very good, you find something that can be used immediately as soon as this gets rolled out. And this is the best case scenario for you, because you already know the vulnerability, you can already work on an exploit, and the tool hasn't even been pushed out yet, So at the moment that it goes public, you'll chances are you'll be able to exploit it right away. It really does become a zero day vulnerability. In that case, this gives you the maximum amount of time to work with that vulnerability and to compromise target devices before someone gets wise. And again there's no telling how long that might take. Sometimes it can be years before someone realizes, Hey, something hanky's going on. Let's look into this now. Of course, chances are you're not necessarily the person who's making use of these vulnerabilities. You're finding them, but you aren't necessarily the same person who's exploiting them. Instead, you find these vulnerabilities and then you pedal your knowledge on the black market, where you're selling information to criminals and the like, and they in turn will actually use the exploits to leverage that vulnerability. You might instead go to the gray market. This is where you could be selling the information to say, researchers in the cybersecurity field, or maybe to a defense contractor who in turn is working alongside military organizations. I mean, we've seen this too, right. We've seen companies that are essentially defense contractors develop malware that are it's zero day vulnerabilities. A great example that's the NSO Group, the Israeli company that created the Pegasus malware that targeted iOS devices. So you might be working with intelligence agencies to do this sort of thing, or maybe you are one of the good guys out there. You're a white hat, so what you're doing is not trying to sell off this information to criminal bidders on the black market. Instead, what you are doing is you're taking part in bug bounties where a company will offer a reward if you find security vulnerabilities in their products. And so you discover the vulnerability, you send it a bug report to a company, they verify that it is in fact a vulnerability, and then they pay you while they get to work patching that vulnerability out before any bad guy out there figures out that this thing's there, or if they have figured it out before, they can do too much damage with it. So hopefully the white hats get the information to the right people in time, and the right people take the right actions to prevent any exploitation of that vulnerability, though that you know, is never a guarantee, so these zero day attacks typically they are devastating because there's no defense right like, there's no way as a user, there's nothing you can do because you don't you're not doing anything with the code on the back end of the various devices and programs you're using. But beyond that, if no one is aware of them, apart from the attackers, then there's going to be a lot of damage done up until that discovery has been made. They can also happen at a very high level. These can be attacks that are not going after the general citizen. They might cast a very wide net in order to get as many people lump as possible, but the hope typically is to land a few important targets, like you're aiming to get some high profile or important people, whether those are politicians or activists or journalists. You know, it depends on case to case, but that's often the goal. Now. Granted, even if that's the goal, people might still make use of all that other information by selling it off on the black market or whatever, so you know, maximize your gains. But typically these kinds of attacks are not necessarily meant to grab John Smith's information or whatever. They're going after bigger fish, So the vast majority of machines affected by a vulnerability exploit might not be of much interest to the hacker, at least not directly. That's very small comfort when you figure out that your machine has been hit, But at the very least you might luck out in that you're not the type of person the hackers we're targeting, and they aren't exploiting the information right away, unless, of course, you are an important person, in which case, Hey, thanks for listening to tech stuff. Thanks everybody for listening to tack stuff. You're all important to me, And honestly, the list of important people can get pretty big depending upon the aim of the attack. Okay, we're going to take a quick break. When we come back, we'll talk more about zero Day vulnerabilities and attacks. Okay, we're back, and up to this point, I've kind of been using Google Chrome as an example because, well, we just had that news break that up to around three billion users could have been affected by this particular exploit or this vulnerability, and web browsers have frequently been the focus of zero day attacks, so even without this most recent example, we could still talk about Google Chrome. This is not the first time there's been a zero day attack or zero day vulnerability with Google Chrome. It's happened multiple times in the past. The evolving nature of the web means that companies that make web browsers are constantly updating their products, whether to make them run more efficiently or add new features, or to accommodate new types of web technology. They need to update the browser to make it work. This, however, can introduce the chance for vulnerabilities to emerge. As software gets more complicated, changes to that software can have unexpected consequences. I'm sure anyone out there who has worked on a complicated system, whether it's software or otherwise, they know that when you fix one problem, sometimes the fix can end up causing three more problems somewhere else because the interconnections between all these different components gets really really complex. By the way, this is where all of us should take time to thank people who work in QA, because it's their job to test products and look for problems so that hopefully issues can be fixed before the product has headed out to the real world. And even when you sit there and think, wow, I have this thing and it doesn't work nearly as well as I hoped it, would just know that there's a really good chance there were QA people working on that where if they had not been there, you wouldn't even get the level of performance that you got out of that thing. So, yeah, QA people are really super important. I don't just say that because I happen to be married to one. Now, beyond web browsers, there are other types of products that are rich targets for zero day attacks. Now, again, for a zero day attack to even work, there has to be a vulnerability, right, there's not a guarantee of vulnerability will be there. But there are certain types of technologies that hackers focus on more because the potential of finding a vulnerability and then exploiting it also means the potential we're hitting a huge number of targets so browsers are way up there because that's how a lot of people access the Internet right they're using the web based Internet. Operating systems are also way up there, so our email systems. The Internet of Things era introduced tons of new components that connect to information networks, and in the rush to build new and sometimes useful tools, not always, the Internet of Things has got a lot of stuff that you could argue has limited, if any use. There's a ton of stuff that is really useful. Well, whenever you're tapping into a networked communication infrastructure, you're potentially introducing a vulnerability to the overall system, especially if you have not taken the time to build real security into your product. And time and again there have been stories about Internet of things devices that limited or no security to them, which created a great intrusion point for hackers. So really, any networked component can potentially be ground zero for a zero day attack, whether it's hardware, firmware, or software. It's just that stuff like browsers and operating systems are so widely deployed, they're so prominent that these targets are often the most desirable because everybody's got an operating system just about everybody's got a browser, but not everyone has I don't know, like a smart seismometer attached to their network. And so you focus on these big, big targets hoping to find vulnerabilities as a hacker because of the potential of how many hits you're going to get on an attack. It may be that you find an incredible attack for some Internet of Things connected device, but if there aren't a ton of those out in the world, then it still limits the effectiveness of your attack. Right, So you're balancing this out how bad is the vulnerability, how well can I exploit it, how widely is it distributed, and how long do I think it can get away with it? Well, that being said, if we look back on the history of zero day attacks, one of the standouts that comes up an early example of zero day attacks, although the term zero day predates the discovery of this particular attack, because I say that because a lot of the resources I looked at called this the first zero day attack, which is kind of funny because we had the term before we even knew it existed. But it's Stuck's net, stuxn et. You may have heard of that. This was in the news more than a decade ago at this point, but it was intended to infect a specific kind of system. I've actually done an episode about Stuck's Net, so I'm not going to go into a full history of it, but i will talk a bit about what it was and what was going on. Okay, So around two thousand and five or two thousand and six, some programmers or hackers if you prefer, were hard at work developing a sneaky kind of malware. And based upon the scope of this malware, the target of the malware, and the sophistication of the attack, it's pretty clear that this had to be a state sponsored effort, that this was a group of hackers who had access to a lot of resources, like in the form of money and stuff, and subsequently people have sussed out that was probably the United States and Israel working together to do this. So the malware it had to do several things. First, it needed to be able to infect a target machine and spread very easily. Second, it needed to remain undetectable, so it needed to not cause too much trouble or else someone might catch on that something he ky's happening. Third, it needed to be able to transfer itself onto a device like a flash drive. So if you were to plug a flash drive into an infected computer, it needed to be able to copy itself onto that flash drive, along with whatever else it was you were planning to put on that flash drive. Fourth, it had to carry programming that would allow it to manipulate systems with programmable logic controllers. So these components also known as plc's connect to industrial machinery. So essentially, PLCs let a computer system send commands to industrial equipment that does something whatever industrial process it needs to do, but the computer can control it, and the PLC is kind of the interface that allows it to communicate with this industrial equipment. And in the case of stucks net, it was a specific kind of industrial equipment. It was a centrifuge that was used to process uranium, specifically to refine uranium. Because the target for stuckx net was Iran's nuclear program, So the computer systems responsible for controlling centrifuges was the goal here. And the centrifuges spin at very very high speed, and in the process when they're spinning, they're spinning samples of uranium, and this is what helps separate the uranium so that you can refine it, and it's an important step in that process. So the malware would interrupt this chain of command between the computer system responsible for governing the centrifuge and the centrifuge itself, and then the malware could send instructions for the centrifuges to spin faster than they were supposed to. This had a dual effect. For one thing, it would cause the centrifuges to wear out faster and to fail more frequently. Essentially, it could break the centrifuges. For another, it could ruin uranium samples and slow down Iran's nuclear program in the process. But there was a major obstacle in the way of carrying through with this attack because the target systems, those computers that actually sent the messages to centrifuges, they were an air gap system. So an air gap system is one that does not connect to an external network, so it doesn't connect to the Internet. It's air gaped. There is a gap between the system and the outside world. This is a strategy that a lot of companies and militaries use for systems that hold critically important and sensitive information. You cannot trust for it to be connected to the Internet, because then that information might leak out to the world. We've seen it happen lots of times. So you create an air gap system and ideally there's no way for the outside world to get into the computer system. So how do you compromise an air gapped computer system. You couldn't just create a neatly wrapped package in code and send it via email or something, because again, those targeted computers didn't have that external connection. So what they did was the hackers targeted companies that were known to be working with Iran on its nuclear program. So the goal was to infect the machines on the collaborators, to target these collaborators and try and get those machines infected, and the hope that as part of their work with Iran, they would unknowingly transfer malware from their own machines to something like a flash drive, and then they would use that flash drive to update Iran's computers that were in control of the centrifuges, and thus the malware could be transferred from the flash drive to the target machines. So you had this extra step you had to take. But here's the thing. It totally worked for at least a year, the attackers were able to disrupt operations in Iran's nuclear program, even updating the malware so that subsequent visits from these partner companies would help keep things going. Now, eventually, like in twenty ten, which was at least two years after the machines had been compromised, Iran uncovered the reason that they were seeing centrifuges fail more frequently than they we're supposed to. Like you know, of course stuff wears out, particularly stuff that moves a lot, but the centrifuges were wearing out way too quickly. They also noticed that their computer systems were crashing a lot. They figured it out finally that there was this malware to blame Stuck'snut itself, because it was designed to spread from system to system really effectively actually infected a ton of machines that had nothing to do with Iron's nuclear program. That was kind of collateral damage, because again, the goal was to try and get these systems that otherwise were very well protected. And if you just happened to infect millions of other computers around the world, well that's a price you have to be willing to pay. Anyway. Stucksnet initially targeted five zero day vulnerabilities as part of its strategy. Now, through a security patch, one of those vulnerabilities was eliminated before Stuck's net could be deployed, so when the malware was ready to go, it was depending upon four zero day vulnerabilities because the other four had not yet been uncovered, so they still had different vectors to use in order to try and inject malware into the targets. The vulnerabilities targeted stuff like Microsoft Windows operating system and Microsoft Networks and specifically was designed to seek out computers that had the Step seven software suite from the company Siemens. Those were you know, That's essentially what stuck set would do. It'd be like, all right, I've infected this machine. Does this machine have Step seven installed on it? No? Cool, I'm not doing anything else other than infecting other machines if I have the chance. If it did detect Step seven, that was software that was meant to interoperate with these PLCs so that you could work with industrial equipment, it would then continue on its mode of attack. Now, as you might imagine, like I said, zero day attacks can cause a huge amount of trouble. The vulnerabilities there the exploit's been developed and no one, not even cybersecurity companies, it's prepared to respond to it. If it's carried out well, the attackers can achieve goals, and like Stuck's net, they can continue to operate for years without being spotted, assuming the attacks are not causing noticeable issues in the infected systems. If it's causing stuff that most people would just chalk up to regular technical errors or glitches or whatever, you can get away with it for a while. But if you're like causing lots of problems, then eventually someone's going to say something's wrong with this machine, and that brings out the possibility that someone figures out it's been exploited. Now, the recent Google Chrome zero day attack potentially affected up to three billion people, like I mentioned, according to initial estimates, which puts it neck and neck with one of the worst zero day attacks we know about. I was about to say one of the worst zero day attacks in history. But of course, the scary thing is there are probably huge zero day attacks going on right now and no one has detected them yet, and who knows the scope or nature of those attacks. That's the scary thing about that, right, Like you just there's no way to know because no one's discovered there was a vulnerability or noticed anything unusual going on with their systems. But anyway, the other really really big one that happened at the same scale as Google Chrome happened to a little company called Yahoo back in twenty thirteen. Now we're going to take another quick break. When we come back, I'll talk about this attack on Yahoo because it was another enormous deal. Okay, let's talk about this data breach attack on Yahoo that happened in twenty thirteen. We didn't even know about it until twenty sixteen. Again, the sinister nature of these attacks is that they can have happened and even continue to happen without us being aware of it for ages, and only in retrospector were able to look back and say, wow, that was an enormous attack. So, first off, Yahoo had already been the target of zero day attacks before twenty thirteen. In fact, back in two thousand and seven, which was before the world knew that stucks net was a thing. I mean, you know, hackers had developed it and everything, but the world was not aware of Stuck's net. There was a zero day attack. There were zero attacks aimed at Yahoo, specifically Yahoo Messenger that was the company's instant messaging service. So reportedly, this malicious attack could initiate a remote code execution on a target without them even doing anything, assuming that they had their browser security setting set fairly low, right, specifically an Internet Explorer RIP. But yeah, Internet Explorer, you might remember, had different kind of levels of security you could set, So at the highest it would really limit the types of websites you could go to. It really restricted your freedom quite a bit, but it also protected you against the vast majority of potential attacks, or at least that was the intent. For people who felt like they were more capable of determining their own safety, you could set that much lower and you would be able to go to more websites and use more services, but you also would incur greater risk. So depending upon what level you had your Internet security set at for Internet Explorer, you could potentially be a target of this zero day vulnerability that was leveraging Yahoo Messenger. But that was just one The twenty thirteen one would be much much worse. So again, it wasn't until twenty sixteen that we really heard about this. Yahoo revealed that hackers had managed to access and steal Yahoo user information, lots of private information. The initial guess was that it affected around a billion Yahoo users, but subsequently Yahoo, now under the ownership of Verizon, revealed that potentially all three billion users had been hit by this attack. This was in addition to a separate attack that had happened in twenty fourteen, and Yahoo had detected that one and already talked about it. So there was a big attack in twenty thirteen, then a second attack in twenty fourteen, probably not connected to the first attack. Yahoo saw evidence of the second attack, the twenty fourteen attack, but still didn't know about the twenty thirteen one. The twenty fourteen one, though, had already hit half a billion accounts, right like five hundred million people hit by that one. And it really just points out how vulnerable Yahoo was to have these two massive attacks both succeed against it, one of which remained undetected even after Yahoo had found evidence of a second attack. Subsequent investigations pointed to a possible connection to Rush hackers, so it was likely a state sponsored attack, which could mean that the primary purpose of the attack was to gather information about specific targets that being said, even if you're not a person of note in the eyes of Russian intelligence. The hackers also started to sell user data on the dark web, because I mean, why not. You've already got it, why not make some money off of it. Sure, your main reason for your attacks was to get information about you know, person A, person B in person C. But you have you know a billion other people or in the case of Yahoo, three billion other people. Why not sell their information too and make some extra money. So, yeah, anyone who had a Yahoo account by say mid twenty thirteen was pretty much hit by this attack because it got everything, which is a big ol' yauza. Now, sometimes it can actually be difficult to tell the difference between an attack that uses a zero day vulnerability versus something that is able to achieve really big results but through entirely different means. So, for example, in twenty twenty one, hackers began to offer LinkedIn data on the black market, so data about LinkedIn users. The word was that anywhere from five hundred million to seven hundred million accounts had been part of this attack, like anywhere between ninety to ninety five percent of LinkedIn's user base, and there were differing explanations for how this all went down. So one of the possible explanations was that LinkedIn had an API that's an application programming interface, and that this API had a vulnerability in it, and that this vulnerability would allow a hacker to create a tool to access information on the back end of LinkedIn systems. So there was at least some guesses that that was to blame, but LinkedIn said no, no, no, there was a vulnerability in our API, but we subsequently patched that out. And while there had been an early attack using that vulnerability, it was very small in nature. This larger one was not an attack on LinkedIn's back systems, according to LinkedIn, but instead made use of data scrapers. So a data scraper is just what sounds like, it's a program that scrapes information off of a platform. So you could achieve the same thing by having people go to LinkedIn and write down the personal information they can find about each user, and then go to the next user and then write it all down. It would be the same thing. So you're not getting anything secret because you're literally just going entry to entry and writing down all the information you have. Maybe you corroborate this with data from other websites too, in order to build out a bigger dossier on each person. But it's not like you penetrated the back end system, right. You didn't get to see the actual database that LinkedIn has where it has all the information about each user. You're just grabbing stuff that's already publicly viewable on the website. That's what LinkedIn was saying was happening. Whether or not that's exactly what happened, I don't know. I don't have any reason to doubt LinkedIn necessarily, because from what I can understand, the information that was being sold didn't contain a lot of stuff you would expect to find if, in fact, it were all the back end stuff. It was all things that you would expect to find if you were to just visit someone's profile page. So it's possible that that explanation is in fact the accurate one. Now, if you do a search about the most recent Google Chrome zero day vulnerability, you are likely going to see that it's listed as vulnerability cve DASH twenty twenty three, Dashed twenty thirty three. All right, so Google Chrome has had other zero day vulnerabilities. In fact, if you do a search and you see a different CVE. You know it's got different numbers following it. That's one of the other zero day vulnerabilities Google Chrome has had to deal with in the past, so this is not a new thing. The letters CVE stand for Common Vulnerabilities and Exploits. This is from the National Standards Institute, so it's like a standard just being used by the computer science community. So CVE has that designation and the numbers give you more information about the specific instance of this vulnerability. This particular vulnerability is taking advantage of something called type confusion. Now, to get into type confusion in detail would go beyond my meager knowledge and understanding of coding. So I'm not going to dive too deeply into this because more likely than not, I would just say something that was wrong, and rather than try to get it right and get it wrong, I'm going to give you a very high level look at what type confusion is. So the Miter Corporation says that type confusion happens when quote the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. End quote. That clears it up right. So type in this case references a set of values as well as a set of operations allowed to be performed on those values. That's about as deep as I can get into that without running into the danger of hopelessly confusing myself and probably saying the wrong thing. But certain coding languages lack memory protection capabilities, like C programming language doesn't have that memory protection capability built into it, and so a hacker can try to purposefully kind of confuse a program and gain out of bounds memory access, which can lead to all sorts of bad outcomes. Now, to manage this with Google Chrome, because that's the program we're looking at right here, right as a web browser. The way you would take advantage of this vulnerability is a hacker would typically create a website an HTML document, and within the document, the hacker would embed this attack so that when someone who is using an unpatched version of Google Chrome visits that page, the attack initiates. Now, what the attack does is dependent upon the nature of the malware itself, so it could be used to do all sorts of things like steel information or inject a different kind of malware into a target computer, all sorts of different stuff, so you can see why experts recommend users update Google Chrome to patch out that vululnerability. Apparently at least one such attack was found out in the wild, so this isn't just a zero day vulnerability. There was evidence found of zero day attacks, so this is something that's happening right now. So again, if you use Google Chrome, make sure you update it to the most recent version. It is not difficult to do. It might require you to reboot your computer, but that's the biggest hassle involved with it, and it could potentially prevent you from being part of a massive hacker attack. So go ahead and do that. Because the hackers have been aware of this for a while now, we were just made aware of it over this past weekend. All right, that's it for this episode. I hope you are all well. If you would like to reach out to me, you can do so on Twitter. The handle for the show is tech Stuff HSW where you could download the iHeartRadio app. It's free to download, free to use. You can just go into the little search field type in tech stuff. It'll take you to the podcast page results. Go into the podcast. You'll see a little microphone icon. If you click on that, you can leave a voice message up to thirty seconds in length. Let me know what you'd like to hear, and I'll talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.

Welcome to tech Stuff, a production from iHeartRadio. Heydarren, Welcome to tech Stuff. I'm your host, Jonathan Strickland. I'm an executive producer with iHeartRadio. And how the tech are you? So this morning I woke up to a text message from a radio station in Alabama. I have frequently been on that station talking about tech stuff in general, and they were asking if I would be willing to jump on the air this morning to talk about how some Google Chrome news was unfolding, specifically that Google discovered a zero day vulnerability within Chrome that could potentially compromise users, like upwards of three billion of them. So today I thought I would talk a little bit about what a zero day vulnerability is, touch on a little bit of terminology used in the information security sector to kind of demystify a bit of it and to help folks like me wrap our minds around the whole thing. Now, for those of y'all who are neck deep in computer security fields, you're going to know all of this already. This is sort of a one oh one of what zero day vulnerabilities are all about. So let's define that. Because zero day vulnerability, zero day exploit, zero day attack. These terms seem to mean something, but you don't necessarily understand it when you first see it. Essentially, it's describing a situation in which there is something exploitable within some sort of technical system. This system can be software, it can be hardware, and this vulnerability exists within the system, and the people who should be on the lookout for that kind of thing are unaware of it. So, in other words, the company behind the system doesn't know that the vulnerability the exists. The security community at large doesn't know that this vulnerability exists, but it's there. So if you think about it, think of it in physical terms. Let's think about like a giant security wall that goes around your home, and it turns out there's a gap in the wall, but it's behind some shrubs and stuff, and you just haven't gone back there, and you haven't noticed it. You don't even know there's a gap there. Well, that gap obviously shows that there's a hole in your security and you just aren't aware of it. But if someone else is aware of it, they could exploit that without your awareness and potentially cause a lot of damage. And if they're very clever, they can cause a lot of damage. Over an extended amount of time, as long as they don't make you aware that that hole is there. That's kind of the idea here. It's partly called a zero day vulnerability because the entity behind the product has had zero days to fix it before someone's figure out a way to exploit it. In other words, you can't really fix a problem if you don't know that there is a problem there. Right again, if you look out and you don't see the hole in the wall because it's being obscured by something else, then you don't know that there's a problem to fix. You just assume everything's fine, and it's not until some other signs pop up that suggests that it's not fine, that you start looking, and then maybe you uncover it. At that point you could argue, all right, well, now it's no longer zero day because we found it and we can do something about it. But the gap of time between when the problem first manifested and when you've found out about it that represents the target of opportunity for this in the case of computer security hackers. So let's give an example with Google Chrome. Google makes the Chrome web browser, engineers create an update for the browser, and in the process. There is a gap in the browser's security. It's unintentional. It was not put there on purpose. It just sort of happens because this is complicated stuff. So the engineers didn't detect the gap. They pushed it through, and the update goes through the entire development process, and then Google deploys the update. They roll it out, and people start to update their browsers or the browser gets updated upon a reboot or something, and thus the update gets installed, and now the security gap is affecting those machines because they actually have that version of Chrome in place. Now in the wild, hackers are also scouring Chrome, but they're looking for these vulnerabilities. They're probing the code, looking for weaknesses where they can exploit those weaknesses. It might mean creating some specific types of malware or some sort of process that will initiate a sequence that allows them to exploit the vulnerability. So it may you know, it takes more than just finding there's a vulnerability there. You have to figure out a way to exploit it. But these are all things that hackers do on the rag. So they find this gap, then they scramble to develop the tools that can take advantage of this gap. Then they deploy those tools, perhaps doing so very quietly in an effort to extend the amount of time that they have to exploit this vulnerability before Google or some computer security expert from somewhere else finds this gap and then alerts everybody to it. The hackers do their best to use the gap to do whatever it is they want to do, depending upon the nature of the gap, that could include anything from spying on computer activity on a compropised machine to forcing a computer to execute malicious code remote code execution in other words, And really it just depends upon the nature of the vulnerability and the nature of the malware being developed, so there are lots of different possibilities there. So when we the general public hear about a zero day vulnerability, it's kind of like hearing about something that was a zero day vulnerability but now kind of isn't because it's now not just the hackers who know about it. Now, there might not be much we can do about it at the time. But often when we hear about zero day vulnerabilities for the first time, it comes along with a solution that's being rolled out at the same time. Because companies that are hit by this sort of stuff. If they can hold on to that information until they have a solution, they typically will because otherwise you're panicking people and you have no way to fix things. Right. So it may be that when you hear about this vulnerability, it's the same time when you hear about a patch, a security patch that's been rolled out that you can update your device to. Typically we see a very fast response to the discovery. Sometimes the response we see is in other areas of cybersecurity, for example, antivirus software creators. They might come up with tools to help detect and prevent applications that have been hit by zero day vulnerabilities to do malicious activity on your machine, and in the meantime, you're still waiting for the creator of the root problem to roll out a patch. That often can be the case too companies will patch their products. So Google, for example, pushed out a patch for this most recent vulnerability already, which, by the way, is where I need to point out to all of you that if you use Google Chrome, you should check to see if it's up to date, just to protect yourself. If you're wondering how to do that. In the upper right corner of Google Chrome, they're the little three dots. If you click on that, it brings up settings, like you can choose settings from a drop down menu, and then from the next menu that pops up, you look at about Chrome and it will have a little button there that lets you update your browser at that point, and you should click on that make sure your browser is up to date and patched so that you are not going to be victimized by this type of vulnerability. Now, sometimes hackers will even know about vulnerabilities and code before the code gets released. So imagine for a moment that you are a black hat hacker. Your job is to try and find vulnerabilities in various systems and platforms and then figure out ways to exploit them. So you are an expert in penetrating systems, and maybe you're on the payroll of a nation state. Maybe you know Russia or China is paying you to do this, or maybe you work in the United States for one of those organizations that goes by initials all the time, like the NSSA, because they do this too. So information is a precious resource and access to information is your specialty as this kind of hacker, So you dedicate your time to gaining access to developer platforms on the QT so that you can look at code while it's still in development. Maybe you start probing this code for vulnerabilities well before it gets rolled out to the public. Now, if you're lucky and you're very good, you find something that can be used immediately as soon as this gets rolled out. And this is the best case scenario for you, because you already know the vulnerability, you can already work on an exploit, and the tool hasn't even been pushed out yet, So at the moment that it goes public, you'll chances are you'll be able to exploit it right away. It really does become a zero day vulnerability. In that case, this gives you the maximum amount of time to work with that vulnerability and to compromise target devices before someone gets wise. And again there's no telling how long that might take. Sometimes it can be years before someone realizes, Hey, something hanky's going on. Let's look into this now. Of course, chances are you're not necessarily the person who's making use of these vulnerabilities. You're finding them, but you aren't necessarily the same person who's exploiting them. Instead, you find these vulnerabilities and then you pedal your knowledge on the black market, where you're selling information to criminals and the like, and they in turn will actually use the exploits to leverage that vulnerability. You might instead go to the gray market. This is where you could be selling the information to say, researchers in the cybersecurity field, or maybe to a defense contractor who in turn is working alongside military organizations. I mean, we've seen this too, right. We've seen companies that are essentially defense contractors develop malware that are it's zero day vulnerabilities. A great example that's the NSO Group, the Israeli company that created the Pegasus malware that targeted iOS devices. So you might be working with intelligence agencies to do this sort of thing, or maybe you are one of the good guys out there. You're a white hat, so what you're doing is not trying to sell off this information to criminal bidders on the black market. Instead, what you are doing is you're taking part in bug bounties where a company will offer a reward if you find security vulnerabilities in their products. And so you discover the vulnerability, you send it a bug report to a company, they verify that it is in fact a vulnerability, and then they pay you while they get to work patching that vulnerability out before any bad guy out there figures out that this thing's there, or if they have figured it out before, they can do too much damage with it. So hopefully the white hats get the information to the right people in time, and the right people take the right actions to prevent any exploitation of that vulnerability, though that you know, is never a guarantee, so these zero day attacks typically they are devastating because there's no defense right like, there's no way as a user, there's nothing you can do because you don't you're not doing anything with the code on the back end of the various devices and programs you're using. But beyond that, if no one is aware of them, apart from the attackers, then there's going to be a lot of damage done up until that discovery has been made. They can also happen at a very high level. These can be attacks that are not going after the general citizen. They might cast a very wide net in order to get as many people lump as possible, but the hope typically is to land a few important targets, like you're aiming to get some high profile or important people, whether those are politicians or activists or journalists. You know, it depends on case to case, but that's often the goal. Now. Granted, even if that's the goal, people might still make use of all that other information by selling it off on the black market or whatever, so you know, maximize your gains. But typically these kinds of attacks are not necessarily meant to grab John Smith's information or whatever. They're going after bigger fish, So the vast majority of machines affected by a vulnerability exploit might not be of much interest to the hacker, at least not directly. That's very small comfort when you figure out that your machine has been hit, But at the very least you might luck out in that you're not the type of person the hackers we're targeting, and they aren't exploiting the information right away, unless, of course, you are an important person, in which case, Hey, thanks for listening to tech stuff. Thanks everybody for listening to tack stuff. You're all important to me, And honestly, the list of important people can get pretty big depending upon the aim of the attack. Okay, we're going to take a quick break. When we come back, we'll talk more about zero Day vulnerabilities and attacks. Okay, we're back, and up to this point, I've kind of been using Google Chrome as an example because, well, we just had that news break that up to around three billion users could have been affected by this particular exploit or this vulnerability, and web browsers have frequently been the focus of zero day attacks, so even without this most recent example, we could still talk about Google Chrome. This is not the first time there's been a zero day attack or zero day vulnerability with Google Chrome. It's happened multiple times in the past. The evolving nature of the web means that companies that make web browsers are constantly updating their products, whether to make them run more efficiently or add new features, or to accommodate new types of web technology. They need to update the browser to make it work. This, however, can introduce the chance for vulnerabilities to emerge. As software gets more complicated, changes to that software can have unexpected consequences. I'm sure anyone out there who has worked on a complicated system, whether it's software or otherwise, they know that when you fix one problem, sometimes the fix can end up causing three more problems somewhere else because the interconnections between all these different components gets really really complex. By the way, this is where all of us should take time to thank people who work in QA, because it's their job to test products and look for problems so that hopefully issues can be fixed before the product has headed out to the real world. And even when you sit there and think, wow, I have this thing and it doesn't work nearly as well as I hoped it, would just know that there's a really good chance there were QA people working on that where if they had not been there, you wouldn't even get the level of performance that you got out of that thing. So, yeah, QA people are really super important. I don't just say that because I happen to be married to one. Now, beyond web browsers, there are other types of products that are rich targets for zero day attacks. Now, again, for a zero day attack to even work, there has to be a vulnerability, right, there's not a guarantee of vulnerability will be there. But there are certain types of technologies that hackers focus on more because the potential of finding a vulnerability and then exploiting it also means the potential we're hitting a huge number of targets so browsers are way up there because that's how a lot of people access the Internet right they're using the web based Internet. Operating systems are also way up there, so our email systems. The Internet of Things era introduced tons of new components that connect to information networks, and in the rush to build new and sometimes useful tools, not always, the Internet of Things has got a lot of stuff that you could argue has limited, if any use. There's a ton of stuff that is really useful. Well, whenever you're tapping into a networked communication infrastructure, you're potentially introducing a vulnerability to the overall system, especially if you have not taken the time to build real security into your product. And time and again there have been stories about Internet of things devices that limited or no security to them, which created a great intrusion point for hackers. So really, any networked component can potentially be ground zero for a zero day attack, whether it's hardware, firmware, or software. It's just that stuff like browsers and operating systems are so widely deployed, they're so prominent that these targets are often the most desirable because everybody's got an operating system just about everybody's got a browser, but not everyone has I don't know, like a smart seismometer attached to their network. And so you focus on these big, big targets hoping to find vulnerabilities as a hacker because of the potential of how many hits you're going to get on an attack. It may be that you find an incredible attack for some Internet of Things connected device, but if there aren't a ton of those out in the world, then it still limits the effectiveness of your attack. Right, So you're balancing this out how bad is the vulnerability, how well can I exploit it, how widely is it distributed, and how long do I think it can get away with it? Well, that being said, if we look back on the history of zero day attacks, one of the standouts that comes up an early example of zero day attacks, although the term zero day predates the discovery of this particular attack, because I say that because a lot of the resources I looked at called this the first zero day attack, which is kind of funny because we had the term before we even knew it existed. But it's Stuck's net, stuxn et. You may have heard of that. This was in the news more than a decade ago at this point, but it was intended to infect a specific kind of system. I've actually done an episode about Stuck's Net, so I'm not going to go into a full history of it, but i will talk a bit about what it was and what was going on. Okay, So around two thousand and five or two thousand and six, some programmers or hackers if you prefer, were hard at work developing a sneaky kind of malware. And based upon the scope of this malware, the target of the malware, and the sophistication of the attack, it's pretty clear that this had to be a state sponsored effort, that this was a group of hackers who had access to a lot of resources, like in the form of money and stuff, and subsequently people have sussed out that was probably the United States and Israel working together to do this. So the malware it had to do several things. First, it needed to be able to infect a target machine and spread very easily. Second, it needed to remain undetectable, so it needed to not cause too much trouble or else someone might catch on that something he ky's happening. Third, it needed to be able to transfer itself onto a device like a flash drive. So if you were to plug a flash drive into an infected computer, it needed to be able to copy itself onto that flash drive, along with whatever else it was you were planning to put on that flash drive. Fourth, it had to carry programming that would allow it to manipulate systems with programmable logic controllers. So these components also known as plc's connect to industrial machinery. So essentially, PLCs let a computer system send commands to industrial equipment that does something whatever industrial process it needs to do, but the computer can control it, and the PLC is kind of the interface that allows it to communicate with this industrial equipment. And in the case of stucks net, it was a specific kind of industrial equipment. It was a centrifuge that was used to process uranium, specifically to refine uranium. Because the target for stuckx net was Iran's nuclear program, So the computer systems responsible for controlling centrifuges was the goal here. And the centrifuges spin at very very high speed, and in the process when they're spinning, they're spinning samples of uranium, and this is what helps separate the uranium so that you can refine it, and it's an important step in that process. So the malware would interrupt this chain of command between the computer system responsible for governing the centrifuge and the centrifuge itself, and then the malware could send instructions for the centrifuges to spin faster than they were supposed to. This had a dual effect. For one thing, it would cause the centrifuges to wear out faster and to fail more frequently. Essentially, it could break the centrifuges. For another, it could ruin uranium samples and slow down Iran's nuclear program in the process. But there was a major obstacle in the way of carrying through with this attack because the target systems, those computers that actually sent the messages to centrifuges, they were an air gap system. So an air gap system is one that does not connect to an external network, so it doesn't connect to the Internet. It's air gaped. There is a gap between the system and the outside world. This is a strategy that a lot of companies and militaries use for systems that hold critically important and sensitive information. You cannot trust for it to be connected to the Internet, because then that information might leak out to the world. We've seen it happen lots of times. So you create an air gap system and ideally there's no way for the outside world to get into the computer system. So how do you compromise an air gapped computer system. You couldn't just create a neatly wrapped package in code and send it via email or something, because again, those targeted computers didn't have that external connection. So what they did was the hackers targeted companies that were known to be working with Iran on its nuclear program. So the goal was to infect the machines on the collaborators, to target these collaborators and try and get those machines infected, and the hope that as part of their work with Iran, they would unknowingly transfer malware from their own machines to something like a flash drive, and then they would use that flash drive to update Iran's computers that were in control of the centrifuges, and thus the malware could be transferred from the flash drive to the target machines. So you had this extra step you had to take. But here's the thing. It totally worked for at least a year, the attackers were able to disrupt operations in Iran's nuclear program, even updating the malware so that subsequent visits from these partner companies would help keep things going. Now, eventually, like in twenty ten, which was at least two years after the machines had been compromised, Iran uncovered the reason that they were seeing centrifuges fail more frequently than they we're supposed to. Like you know, of course stuff wears out, particularly stuff that moves a lot, but the centrifuges were wearing out way too quickly. They also noticed that their computer systems were crashing a lot. They figured it out finally that there was this malware to blame Stuck'snut itself, because it was designed to spread from system to system really effectively actually infected a ton of machines that had nothing to do with Iron's nuclear program. That was kind of collateral damage, because again, the goal was to try and get these systems that otherwise were very well protected. And if you just happened to infect millions of other computers around the world, well that's a price you have to be willing to pay. Anyway. Stucksnet initially targeted five zero day vulnerabilities as part of its strategy. Now, through a security patch, one of those vulnerabilities was eliminated before Stuck's net could be deployed, so when the malware was ready to go, it was depending upon four zero day vulnerabilities because the other four had not yet been uncovered, so they still had different vectors to use in order to try and inject malware into the targets. The vulnerabilities targeted stuff like Microsoft Windows operating system and Microsoft Networks and specifically was designed to seek out computers that had the Step seven software suite from the company Siemens. Those were you know, That's essentially what stuck set would do. It'd be like, all right, I've infected this machine. Does this machine have Step seven installed on it? No? Cool, I'm not doing anything else other than infecting other machines if I have the chance. If it did detect Step seven, that was software that was meant to interoperate with these PLCs so that you could work with industrial equipment, it would then continue on its mode of attack. Now, as you might imagine, like I said, zero day attacks can cause a huge amount of trouble. The vulnerabilities there the exploit's been developed and no one, not even cybersecurity companies, it's prepared to respond to it. If it's carried out well, the attackers can achieve goals, and like Stuck's net, they can continue to operate for years without being spotted, assuming the attacks are not causing noticeable issues in the infected systems. If it's causing stuff that most people would just chalk up to regular technical errors or glitches or whatever, you can get away with it for a while. But if you're like causing lots of problems, then eventually someone's going to say something's wrong with this machine, and that brings out the possibility that someone figures out it's been exploited. Now, the recent Google Chrome zero day attack potentially affected up to three billion people, like I mentioned, according to initial estimates, which puts it neck and neck with one of the worst zero day attacks we know about. I was about to say one of the worst zero day attacks in history. But of course, the scary thing is there are probably huge zero day attacks going on right now and no one has detected them yet, and who knows the scope or nature of those attacks. That's the scary thing about that, right, Like you just there's no way to know because no one's discovered there was a vulnerability or noticed anything unusual going on with their systems. But anyway, the other really really big one that happened at the same scale as Google Chrome happened to a little company called Yahoo back in twenty thirteen. Now we're going to take another quick break. When we come back, I'll talk about this attack on Yahoo because it was another enormous deal. Okay, let's talk about this data breach attack on Yahoo that happened in twenty thirteen. We didn't even know about it until twenty sixteen. Again, the sinister nature of these attacks is that they can have happened and even continue to happen without us being aware of it for ages, and only in retrospector were able to look back and say, wow, that was an enormous attack. So, first off, Yahoo had already been the target of zero day attacks before twenty thirteen. In fact, back in two thousand and seven, which was before the world knew that stucks net was a thing. I mean, you know, hackers had developed it and everything, but the world was not aware of Stuck's net. There was a zero day attack. There were zero attacks aimed at Yahoo, specifically Yahoo Messenger that was the company's instant messaging service. So reportedly, this malicious attack could initiate a remote code execution on a target without them even doing anything, assuming that they had their browser security setting set fairly low, right, specifically an Internet Explorer RIP. But yeah, Internet Explorer, you might remember, had different kind of levels of security you could set, So at the highest it would really limit the types of websites you could go to. It really restricted your freedom quite a bit, but it also protected you against the vast majority of potential attacks, or at least that was the intent. For people who felt like they were more capable of determining their own safety, you could set that much lower and you would be able to go to more websites and use more services, but you also would incur greater risk. So depending upon what level you had your Internet security set at for Internet Explorer, you could potentially be a target of this zero day vulnerability that was leveraging Yahoo Messenger. But that was just one The twenty thirteen one would be much much worse. So again, it wasn't until twenty sixteen that we really heard about this. Yahoo revealed that hackers had managed to access and steal Yahoo user information, lots of private information. The initial guess was that it affected around a billion Yahoo users, but subsequently Yahoo, now under the ownership of Verizon, revealed that potentially all three billion users had been hit by this attack. This was in addition to a separate attack that had happened in twenty fourteen, and Yahoo had detected that one and already talked about it. So there was a big attack in twenty thirteen, then a second attack in twenty fourteen, probably not connected to the first attack. Yahoo saw evidence of the second attack, the twenty fourteen attack, but still didn't know about the twenty thirteen one. The twenty fourteen one, though, had already hit half a billion accounts, right like five hundred million people hit by that one. And it really just points out how vulnerable Yahoo was to have these two massive attacks both succeed against it, one of which remained undetected even after Yahoo had found evidence of a second attack. Subsequent investigations pointed to a possible connection to Rush hackers, so it was likely a state sponsored attack, which could mean that the primary purpose of the attack was to gather information about specific targets that being said, even if you're not a person of note in the eyes of Russian intelligence. The hackers also started to sell user data on the dark web, because I mean, why not. You've already got it, why not make some money off of it. Sure, your main reason for your attacks was to get information about you know, person A, person B in person C. But you have you know a billion other people or in the case of Yahoo, three billion other people. Why not sell their information too and make some extra money. So, yeah, anyone who had a Yahoo account by say mid twenty thirteen was pretty much hit by this attack because it got everything, which is a big ol' yauza. Now, sometimes it can actually be difficult to tell the difference between an attack that uses a zero day vulnerability versus something that is able to achieve really big results but through entirely different means. So, for example, in twenty twenty one, hackers began to offer LinkedIn data on the black market, so data about LinkedIn users. The word was that anywhere from five hundred million to seven hundred million accounts had been part of this attack, like anywhere between ninety to ninety five percent of LinkedIn's user base, and there were differing explanations for how this all went down. So one of the possible explanations was that LinkedIn had an API that's an application programming interface, and that this API had a vulnerability in it, and that this vulnerability would allow a hacker to create a tool to access information on the back end of LinkedIn systems. So there was at least some guesses that that was to blame, but LinkedIn said no, no, no, there was a vulnerability in our API, but we subsequently patched that out. And while there had been an early attack using that vulnerability, it was very small in nature. This larger one was not an attack on LinkedIn's back systems, according to LinkedIn, but instead made use of data scrapers. So a data scraper is just what sounds like, it's a program that scrapes information off of a platform. So you could achieve the same thing by having people go to LinkedIn and write down the personal information they can find about each user, and then go to the next user and then write it all down. It would be the same thing. So you're not getting anything secret because you're literally just going entry to entry and writing down all the information you have. Maybe you corroborate this with data from other websites too, in order to build out a bigger dossier on each person. But it's not like you penetrated the back end system, right. You didn't get to see the actual database that LinkedIn has where it has all the information about each user. You're just grabbing stuff that's already publicly viewable on the website. That's what LinkedIn was saying was happening. Whether or not that's exactly what happened, I don't know. I don't have any reason to doubt LinkedIn necessarily, because from what I can understand, the information that was being sold didn't contain a lot of stuff you would expect to find if, in fact, it were all the back end stuff. It was all things that you would expect to find if you were to just visit someone's profile page. So it's possible that that explanation is in fact the accurate one. Now, if you do a search about the most recent Google Chrome zero day vulnerability, you are likely going to see that it's listed as vulnerability cve DASH twenty twenty three, Dashed twenty thirty three. All right, so Google Chrome has had other zero day vulnerabilities. In fact, if you do a search and you see a different CVE. You know it's got different numbers following it. That's one of the other zero day vulnerabilities Google Chrome has had to deal with in the past, so this is not a new thing. The letters CVE stand for Common Vulnerabilities and Exploits. This is from the National Standards Institute, so it's like a standard just being used by the computer science community. So CVE has that designation and the numbers give you more information about the specific instance of this vulnerability. This particular vulnerability is taking advantage of something called type confusion. Now, to get into type confusion in detail would go beyond my meager knowledge and understanding of coding. So I'm not going to dive too deeply into this because more likely than not, I would just say something that was wrong, and rather than try to get it right and get it wrong, I'm going to give you a very high level look at what type confusion is. So the Miter Corporation says that type confusion happens when quote the program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. End quote. That clears it up right. So type in this case references a set of values as well as a set of operations allowed to be performed on those values. That's about as deep as I can get into that without running into the danger of hopelessly confusing myself and probably saying the wrong thing. But certain coding languages lack memory protection capabilities, like C programming language doesn't have that memory protection capability built into it, and so a hacker can try to purposefully kind of confuse a program and gain out of bounds memory access, which can lead to all sorts of bad outcomes. Now, to manage this with Google Chrome, because that's the program we're looking at right here, right as a web browser. The way you would take advantage of this vulnerability is a hacker would typically create a website an HTML document, and within the document, the hacker would embed this attack so that when someone who is using an unpatched version of Google Chrome visits that page, the attack initiates. Now, what the attack does is dependent upon the nature of the malware itself, so it could be used to do all sorts of things like steel information or inject a different kind of malware into a target computer, all sorts of different stuff, so you can see why experts recommend users update Google Chrome to patch out that vululnerability. Apparently at least one such attack was found out in the wild, so this isn't just a zero day vulnerability. There was evidence found of zero day attacks, so this is something that's happening right now. So again, if you use Google Chrome, make sure you update it to the most recent version. It is not difficult to do. It might require you to reboot your computer, but that's the biggest hassle involved with it, and it could potentially prevent you from being part of a massive hacker attack. So go ahead and do that. Because the hackers have been aware of this for a while now, we were just made aware of it over this past weekend. All right, that's it for this episode. I hope you are all well. If you would like to reach out to me, you can do so on Twitter. The handle for the show is tech Stuff HSW where you could download the iHeartRadio app. It's free to download, free to use. You can just go into the little search field type in tech stuff. It'll take you to the podcast page results. Go into the podcast. You'll see a little microphone icon. If you click on that, you can leave a voice message up to thirty seconds in length. Let me know what you'd like to hear, and I'll talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.