ISLAMABAD: The Pakistan Revenue Automation Pvt Limited (PRAL) has identified multiple vulnerabilities in Google Chrome, which are the most severe as those could allow for arbitrary code execution.
Google Chrome is a web browser used to access the internet.
In an advisory note issued on Wednesday, the PRAL said that the successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser.
Depending on the privileges associated with the application, an attacker could view, change or delete data.
“If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” the PRAL said.
PRAL is providing taxation services to the Federal Board of Revenue (FBR) and other provincial revenue authorities.
The PRAL said that Google Chrome versions prior to 88.0.4324.182 were affected by the vulnerabilities.
In order to ensure prevention against the vulnerabilities, the PRAL recommended the following:
- FBR IT Security Policy sanctioned by Member (IT) –FBR, must be strictly followed.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. It is highly recommended that the computer system must be registered with LAN’s Active Directory server.
- Avoid clicking unknown links and downloading attachments sent by anonymous users.
- use of third-party antivirus is strictly prohibited. Only approved licenses of antivirus software must be installed on desktop PCs.
- Always avoid using a suspicious USB flash stick. In case one needs to use the USB flash stick, then always scan the USB using approved antivirus software.
- Regular update operating system, antivirus software, internet browsers and MS Office and disable macros.
- Keep windows firewall enabled on the desktop computer system.
- All sensitive information should be handled with care and dissemination to all concerned be done through secure means.
- Use of official email is highly recommended.
- Change the password of the receptive accounts regularly.
- Always memorize the passwords, never write them.
- Maintain regular offline backups or centralized offline backup of critical data.
- Be aware of pop-ups in internet browsers or desktop screens and never enter confidential information in a pop-up screen.