# Chrome vulnerability



## lunarlander (Sep 22, 2007)

Hi,

I believe that the latest version of Chrome browser has a security hole. It enables attacker to push an exe and run it. I updated Chrome today. The exe pushed thru has a former Windows Defender file name mpsigstub, and was caught by my anti-executable. No other program was running other than Chrome.


----------



## lunarlander (Sep 22, 2007)

Nah, I was here at this forum. The attack was using a spoofed origin.


----------



## AmyToo (Sep 22, 2017)

@lunarlander You have a Security+ certification.

Should we all stop using Chrome?

Info from my computer:
Chrome 74.0.3729.157 (Official Build) (64-bit)

I didn't get an update today.


----------



## lunarlander (Sep 22, 2007)

I would add an anti-executable to your list of security defenses. Examples are : VoodooShield Free, NoVirusThanks EXE Radar Pro, Anti-Executable by Faronics .

Chrome developers move fast, releasing new versions almost every month. As such, updating your Chrome MIGHT work, because as they recompile the code, the security hole moves. Or the developers MIGHT fix the hole, if somebody told them exactly what to fix.


----------



## AmyToo (Sep 22, 2017)

What's an anti-executable?


----------



## lunarlander (Sep 22, 2007)

I amended my post as you typed . Please re-read.


----------



## AmyToo (Sep 22, 2017)

Is this a zero-day vulnerability? I'm not finding any info on security blogs.

The programs listed are Windows apps. They protect against this new Chrome vulnerability? 

Did you report it to Google?


----------



## lunarlander (Sep 22, 2007)

I wouldn't bet on security blogs having much info. Hackers have their own wares which they keep to themselves.

Anti-executables stop any unknown program that tries to run. Most exploits run a payload program.

I don't have specifics on the security hole. Nothing to report.


----------



## AmyToo (Sep 22, 2017)

mpsigstub.exe is Windows executable. 

This new Chrome vulnerability exploits this Windows EXE?


----------



## lunarlander (Sep 22, 2007)

No, here's the log entry of the anti-exe: c:\windows\servic~1\networ~1\appdata\local\temp\ibd9d45f-d1fd-4182-860c-edeef1336838\mpsigstub.exe

MpSigStub.exe used to be part of Windows Defender I think. But I can find no trace of it in the current C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1902.2-0 nor anywhere on my C drive.


----------



## AmyToo (Sep 22, 2017)

MpSigStub.exe is a Windows system file. It's on Windows 7 and Windows 10. I checked my computers and VM images.

C:\Windows\System32\MpSigStub.exe


----------



## lunarlander (Sep 22, 2007)

Not on my Win 10 v1809

Windows Defender version is: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1902.2-0


----------



## AmyToo (Sep 22, 2017)

lunarlander said:


> Not on my Win 10 v1809
> 
> Windows Defender version is: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1902.2-0


I have the same Windows 10 and Windows Defender versions, and I have the file C:\Windows\System32\MPSigStub.exe.

Maybe it was flagged as a false positive on your computer?


----------



## Cookiegal (Aug 27, 2003)

AmyToo said:


> MpSigStub.exe is a Windows system file. It's on Windows 7 and Windows 10.


And Windows 8.1 as well.

I think it's just a case of Windows Defender was updating at the same time and your anti-executable prevented it (or it didn't get deleted after the update as it should have). That file location is a temporary one for WD updates and both the file and the location are whitelisted in the FRST malware tool (at least they were in 2015 which is the last instance I could find).

I think if there were such a vulnerability we would have heard something about it by now.


----------



## lunarlander (Sep 22, 2007)

I just checked with my fresh install of v1809 Nov 2018, and I can't see MPSigStub in \windows\system32 !! Mind you, it was updated with Offline WSUS to April 2019 updates.


----------



## Cookiegal (Aug 27, 2003)

That's probably the reason. MpsigStub.exe is used by Windows automatic updates. If your anti-exe didn't allow it to run then it wouldn't have been able to create the file in the System32 folder. I'd look for a failed update in your update history.


----------

