Chrome.exe exploit prevention events

benwe · ‎05-05-2023

I have over 500 alerts for chrome.exe exploit prevention alerts on all different devices in Secure Endpoint the past couple of days.

All the same hash

55c3f36080f2ddbf4c47d6685fa42333ee0172866a31c0f29c1797dc2954ab29

I have added that hash to the allow list and it still blowing up.

Any ideas?

Kasun Bandara · ‎05-05-2023

is your chrome web browsers in network updated? make sure every browser is in new version. because this seems like some bot trying to exploit chrome's one of vulnerability. even though it is blocked, make sure every one updated.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

vendeville_lj · ‎05-09-2023

Running into the same issue with a bunch of my endpoints, the first instances starting on 03MAY23. Looking through SCCM, all of the machines with this popping up are running Google Chrome version 113.0.5672.63, which isn't very far off from the current Chrome release of 113.0.5672.93. The threat detection doesn't seem to have any usable information on what the exploit was or if it originated from Chrome itself or from something accessing Chrome (unless I'm just reading it wrong).

Roman Valenta · ‎05-10-2023

We are currently looking in to this issue as it seems that this is all related to the latest Chrome 113 update and possible FP event. That update based on this article

https://www.securityweek.com/chrome-113-released-with-15-security-patches/

was patched with 15 security updates that might have something to do with this. Me personally I try to replicate this issue in my lab on several machines with old Chrome Install and in my case it never triggered. We have so far few cases open and gathering much need it logs to figured out why this is happening in those environments and not the others. I highly encourage everyone with this issue to get with TAC and provide those logs. In cases like that we really looking to:

Reproduce
Diag bundle in Debug

Procmon logs

In case Procmon is supplied time stamps are crucial to navigate in the enormous amount of data that Procmon contains.

Trin · ‎05-10-2023

Has there been any updates on this issue? I am also getting exploit prevention alerts for chrome.exe on several endpoints, although the hash I'm seeing is different than OP's:

50763c43fdf58584ab5010696609e032fb1a6723b4ae163b9bc30aa1c2d960e8

In my environment I've noticed that Chrome, and in some cases Edge, are disappearing from workstations' 'installed programs' lists even though the executables are still present and functional. I'm still testing, but I've found that installing the latest version of those programs over top of the existing configuration restores the program to the 'installed programs' list without wiping out any settings.

Opening a case with TAC is not going to be beneficial for me at this point as the damage is already done, but I would be interested in knowing if the issue with the programs can be pinned to this Secure Endpoint exploit prevention trigger as I'll need to deliver a report on what happened in the environment.

Roman Valenta · ‎05-11-2023

As we gathering more data on this we are learning that this is not affecting only CHROME. Chrome issue with rundll32.exe seem to be affecting any application that has a Chromium based browser integration. We have report now that application called Justice Works got affected as well and it was confirmed that this application uses a Chromium based browser inside the software. Talking to others it seems the issue is also appearing in Quicken software which uses an integrated browser for login, also in Spottily that also have chromium based browser. And knowing that Edge is built on Chromium as well I'm not surprised that you ran in to the same issue.

We are still in process to understanding what is happening as it seem to only happen under certain circumstances and we still only have handful cases to work with. I will keep you guys informed once I have more details.

Lorenzo H. · ‎05-11-2023

We're also getting lots of these alerts for the past few days. The chrome.exe hashes listed in the alerts vary, which tells me that it doesn't seem to be related a to a version of Chrome in particular.

Two days ago we got the notification below. Not sure if it has anything to do with these events:

Cisco Secure Endpoint Announcement - Scheduled Policy Updates

Secure Endpoint Windows policies will be updated to discontinue use of a legacy application injection prevention technique in the Exploit Prevention engine. This addresses false positives that could interfere with endpoint management tools that perform Windows updates. Removal of this technique is mitigated by other features that can detect related attacks at an earlier stage.

This update will increase the policy serial numbers and trigger a policy update for computers in groups that use these policies on May 10. No action is required on your part.

Roman Valenta · ‎05-11-2023

Unfortunately not this was for something else that was tuned in Exploit Prevention Engine and after testing applied globally. We actually took extra week for testing just to make sure . It just happened to fall close with this new discovery so it might look like its related but again its not.

jeremy.peace-hall · ‎05-12-2023

We are seeing these same Exploit Prevention alerts in our environment as well. Just as you mention, they seem to coincide with the policy update made by Cisco on May 10 but also only appear on clients running Chrome v115.

jeremy.peace-hall · ‎05-12-2023

Sorry, meant to type Chrome 113 not 115

Lorenzo H. · ‎05-12-2023

Got this answer from TAC yesterday:

This seems to be related to a known issue that is currently being investigated. A global change was applied yesterday to all customers, I would advice that you Sync your policies on affected devices and test for the behavior. If it persists, I will require a diagnostic bundle while reproducing the issue.

Roman Valenta · ‎05-12-2023

I don't want to get this on wrong track but again. The change that was implemented couple days ago was for completely different issue.

What we see now is new issue that was triggered with Chrome 113 update. We got new more complete logs collected this morning and they will be submitted today along with our internal case. More info will come once I get some updates.

Roman Valenta · ‎05-12-2023

Quick Update, it was brought to our attention another scenario by our internal employees where trying to start any streaming application (Netflix/Hulu/etc..) caused events and crashes as well. Not until Chrome was updated to the latest 113.0.5672.93 version. which suddenly fixed the issue. Can anyone verify the same?

As far for Chrome Update
https://chromereleases.googleblog.com/

There is possibility that our engine was triggered based on these two fixes:

1429201 High CVE-2023-2134 Out of bounds memory access in Service Worker API

1429197 High CVE-2023-2133 Out of bounds memory access in Service Worker API

James M. · ‎05-17-2023

That is what I have been seeing and hearing from users running v113. Anyone trying to start streaming applications, Disney+, Amazon Prime, even music streaming such as Spotify. I haven't had a chance to gather any logs at this point unfortunately, but I just wanted to chime in that it is certainly the same symptom.

Roman Valenta · ‎05-22-2023

Good Morning everyone,

Just another quick update since we start receiving the much need it logs for the open TAC cases. What we know for sure is that this issue is definitely related to the Chrome 113 Update assuming any version of 113 update is still generating these events. What we also know is that this is not connector specific We seen this behavior in cases running connector release 8.1.5, 8.1.7 but also legacy versions such as 7.5.1. The other thing that was so far reported is that there is no impact except the excessive amount of false positive events in the console. In other words so far we didn't got any reports that this is causing crashes unless this community experiencing something else then I would love to hear your feedback so I can add that to what we already know.

This issue has been escalated with our engineering team and interested party responsible for Exploit Prevention engine so hopefully we will get some new updates soon so I can keep you posted on this.

Regards,

Roman