Google has patched a bug in Chrome dubbed ‘evil cursor’ that was exploited by the tech support scammers to create an artificial mouse cursor and lock users inside browsers.
A security researcher from Malwarebytes, Jerome Segura, who detected this ‘evil cursor’ bug noted that the tech support scammers relied on custom images to replace the system’s standard mouse cursor.
The big picture
According to Segura, a threat group named ‘Partnerstroka’ exploited this bug by replacing the standard mouse cursor (OS 32-by-32 pixels) with 128 or 256 pixels in size.
Why Google took a long time to patch - The security researcher reported this bug to Google last year. However, it took longer for Google to patch this bug. Browsers support custom mouse cursor images for web games, therefore, disabling custom images would impact thousands of gaming sites.
Since it is complex to patch the bug without impacting the existing sites, Google developers tested this bug for months and have now come up with a patch.
The fix to this bug in Chrome will automatically revert the cursor back to the standard OS graphics when hovering over parts of the Chrome browser interface thereby preventing users from getting locked in browser pages.
Worth noting - The fix to this ‘evil cursor’ bug is currently live for Google Canary users and is scheduled for the Chrome 75 stable branch soon.