Low-priority bugs and exploits that don’t get used much by scammers and malware purveyors get pushed onto the backburner all the time, in favor of more urgent bugs needing fixing. One such vulnerability is a bug in Chrome’s HTML5 engine that’s been around for about two years now. The bug, in short, uses a piece of malicious HTML5 code that Chrome sees as safe and executes. This code allows the host node, or website in this case, to fill the browser’s history with bogus URLs by the thousands in a split second, and keep them coming. This causes the device running Chrome to grind to a screeching halt. That exploit has been found in the wild for the first time.
Many Chrome users swear by the “Prevent this page from creating additional dialogs” button. When you run across a bogus website or malicious popup that won’t let you leave or do anything else, it’s your only escape route aside from killing your browser session. This bug uses that button as a trigger. The bug was found in a bogus tech support ad, looking much like a run-of-the-mill fake virus popup. The difference is that when the user gets fed up and clicks that magical checkbox, the exploit can then be executed, and the user’s system slows to a crawl or even freezes outright, unless the browser session can be killed. While the bug doesn’t stick around or cause permanent damage, it can force a user to reboot a less powerful system, like a low-end PC, Chromebook, or Android phone, and can prove to be a scare tactic for less technically-inclined users to call the phone number shown onscreen.
The bug has already been given a full teardown by MalwareBytes, which is a double edged sword. On one hand, Google knows about it, and now that they know it’s in the wild, they have the info they need to patch it. On the other hand, now that scammers have seen a use for it and its details are available, you can bet more of them are going to be adopting it leading up to whenever Google patches it. Before, they pushed it aside as a low-level denial of service exploit, not worth the resources to patch. Its latest incarnation, as mentioned above, can completely disable weaker systems. Since a huge chunk of web traffic these days comes from mobile devices, this means that the pressure is on for Google to fix this bug.