Creative Business Solutions USA Inc.

09/29/2025

Update your Chrome today: Google patches 4 vulnerabilities including one zero-day
Posted: September 18, 2025 by Pieter Arntz

Google has released an update for its Chrome browser to patch four security vulnerabilities, including one zero-day. A zero-day vulnerability refers to a bug that has been found and exploited by cybercriminals before the vendor even knew about it (they have “zero days” to fix it).

This update is crucial since it addresses one vulnerability which is already being actively exploited and, reportedly, can be abused when the user visits a malicious website. It probably doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The Chrome update brings the version number to 140.0.7339.185/.186 for Windows, Mac and 140.0.7339.185 for Linux. So, if your Chrome is on the version number 140.0.7339.185 or later, it’s protected against exploitation of these vulnerabilities.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose Settings > About Chrome. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.
Chrome is up to date

You can find more elaborate update instructions and how to read the version number in our article on how to update Chrome on every operating system.
Technical details on the zero-day vulnerability

Google describes the zero-day vulnerability tracked as CVE-2025-10585 as a type confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16.

Despite the short statement—Google never reveals a lot of details until everyone has had a chance to update—there are a few conclusions we can draw.

It helps to know that V8 is Google’s open-source Javascript engine.

A “type confusion” vulnerability happens when code doesn’t verify the object type passed to it and then uses the object without type-checking. So, a program mistakenly treats one type of data as if it were another, like confusing a list for a single value or interpreting a number as text. This mix-up can cause the software to behave unpredictably, creating opportunities for attackers to break in, steal data, crash programs, or even run malicious code.

Google’s Threat Analysis Group (TAG) focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

So, it stands to reason that an attacker used Javascript to create a malicious site that exploited this vulnerability and lured targeted victims to that website.

TAG reported the bug on September 16, and Google issued the patch one day later. That implies that the bug was urgent, or very easy to fix, and probably that both of those statements are true to some extent.

Usually, as more details become known or a patch gets reverse engineered, cybercriminals will start using the vulnerability in less targeted attacks.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to keep an eye out for updates and install them when they become available.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

12/31/2024

HAPPY NEW YEARS !!!!!!

12/24/2024

Merry Christmas !!!

12/12/2024

Good day,

As we move into the Holiday Season, I would like to remind everyone that hackers ramp up their efforts to infect your computers, Devices and Business Networks. I recommend keeping all social media and online shopping on your smart phones and home computers. Never use your work e-mail address for online shopping
Increased risk of downloading malware via social media:

Social media is a brilliant tool for sharing links, videos and interesting information with your friends online. But not all those links go to good places quite often those pages will have adware, malware or computer viruses lurking in the background, trying to download themselves onto your computer.

Ignore Strange Emails:

Many companies send holiday shopping and promotional emails all throughout the holiday season. Some hackers try to capitalize on this and try to catch victims through phishing scams. Don’t fall for scams promising unrealistically deep discounts or free merchandise. You know what they say, if it’s too good to be true, it probably is.
Fake delivery-service emails:

Please be extremely cautious when opening emails with unexpected links or attachments, especially if they appear to be from a familiar company or person but have slight variations in the sender address.
Key signs of a phishing email:
• Urgent requests for personal information like passwords, credit card details, or social security numbers.
• Links that seem suspicious or lead to unfamiliar websites.
• Poor grammar or unusual formatting.
• Sender address that looks slightly different from a trusted source.

What to do if you suspect a phishing email:
• Do not click on any links or open attachments.
• Forward the suspicious email to Your IT People for further investigation.

• Delete the email immediately.
If you have already clicked on a suspicious link, change your passwords immediately and contact our IT support team for further assistance.
Stay vigilant and protect your personal information by being cautious of phishing attempts

During December, many Americans receive items shipped by UPS, FedEx, and the US Postal Service - a fact that criminals exploit by sending emails and text messages that impersonate correspondence from these services and that deliver malware via attachments or direct users to phishing websites. If you have questions about a delivery - or receive an email alert about a delivery - visit the carrier's website by entering their URL into a web browser; do not click on links in an email or open attachments.

Remember even if you play it safe someone on your mailing list may get infected if you get an email that has attachments and looks odd in any way do not open the attachment rather e-mail them back and ask what the attachment is all about
If malware does install itself on your work computer, it could cause serious damage to the rest of the network. The time and costs associated with fixing these issues could seriously hurt your company – even if it was an accident.

10/31/2024

Happy Halloween

06/03/2024

Ticketmaster confirms customer data breach
Posted: June 1, 2024 by Anna Brading
malwarebytes
Digital Footprint Portal

Enter your email to see if your personal data has been exposed.
email icon

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.
ShinyHunter offering Live Nation / TciketMaster data for sale
Post on BreachForums by ShinyHunters

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

05/20/2024

Great Info!!!

Phishers are using new authentication-in-the-middle techniques to dupe victims into providing their login and MFA credentials.

12/13/2023

Government agencies have been asking Apple and Google for metadata related to push notifications, but the companies aren't allowed to tell users about it.

02/02/2023

WhatsApp hijackers take over your account while you sleep.
Posted: January 25, 2023 by Malwarebytes Labs
Late last week, Twitter user Zuk () tweeted an issue about WhatsApp that has the potential to turn heads.
He explains that attackers can take advantage of two things: a user's availability and how identity verification works on WhatsApp.
A user who is not available to respond to verification checks—whether they're asleep, in-flight, or have simply set their smartphone to "do not disturb"—may be at risk of losing their WhatsApp account. All an attacker needs is their target's phone number.
Here's how it works.
The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.
The user is unavailable so doesn't realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn't arrive and asks for verification by phone call.
Since the account owner is still unavailable and cannot pick up the call, the call goes to the number's voicemail. Knowing the target's phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user's mobile number, which is usually the default PIN code to access the user's voicemail.
The attacker then has the WhatsApp verification code, and can use it to access the victim's WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.
Once the account has been hijacked, the attacker could use it to hijack accounts of the user's contacts, spread malware, or hold the account hostage until the owner pays up to get it back.
How to protect your own WhatsApp account
This isn't a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.
1. Change the default PIN of your voicemail.
2. Enable two-step verification on your WhatsApp account:
• Open Settings.
• Tap Account > Two-step verification > Enable.
• Enter a six-digit PIN.
• Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
• Tap Next.
• Confirm the details and tap Save or Done.
Stay safe!

11/11/2022

Have a Safe and Happy Veterans Day