
Up to Date
Thats why real people use chrome 4.0.202. Google are slipping if the beta is 2 full versions infront of the release
Google has pushed out a patch for two severe vulns found in its Chrome browser. Mountain View released Chrome 2.0.172.43 yesterday that fixes an attack on Google's V8 JavaScript engine. Mozilla security wonks spotted the Chrome security flaw in V8. It could have allowed an attacker to gain access to sensitive information, by …
I'm confused. When Google announced Chrome OS on their official blog they said:
"And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work."
The Javascript vulnerability is a memory reading vulnerability. It only allows the page to see things that are in your browser's memory. If the attacker is lucky, then you may have just logged onto your bank and there may be your bank's password there. This is unlikely though - in practise this is not a very good attack. They can't use this attack to install malware.
The XML vulnerability is more serious, as it allows the attacker to run arbitrary code. In any other browser (IE, Firefox, Opera), then this would allow full access to your PC and the ability to install malware. However, Chrome has an additional layer of protection called a "sandbox", that restricts what the attacker can do. It's still a serious bug, but it can't easily be used to infect your PC with viruses or malware.
So, these bugs are the kind of thing that happen to all browsers, and congratulations to Google for having designed their browser to limit the impact of these bugs.
The disclosure does say "An attacker might be able to run arbitrary code within the Google Chrome sandbox." *Within the sandbox* is the important part, and means that the attacker's code is severely hampered and would have to exploit some sort of privilege escalation within windows to get out and touch the user's (or the system's) files or network connection. This is good because the attacker would have to have two working zero-day exploits (one in chrome and one in windows) to have a chance of attacking an uptodate system.
User code gets tricked into executing user code, when hasn't this been the case?
It's a symptom of "worse is better". Operating as though this is not the case is living in denial. That's why I boot from read only file systems and my data storage is append only.
Processing enormous volumes of externally produced data some of which is garaunteed to have malicious intent in executables that are garaunteed to be defective by machines with convenient access to the LAN and WAN, what do you expect?
That such machines are ubiquitous demonstrates our enormous capacity for denial.
I've had people say to me that the security model of Lunix was better because "you'll only lose your home direcotory", you know the irreplacable files, where as the system files were totally protected, you know, the files you downloaded in 30 mins from one of 100 places
Yes, but given Google's strategy of "run everything in the browser" with the O/S kernel there merely to support the browser in question, that's not necessarily a comfort.
Ok, yer botnet may become a rarity*, but when his bank account's just been raided, his gmail account's become a sewer of spam and his Google docs have all been replaced with farmasutra pics that's not exactly going to cheer up Joe Punter now, is it?
I did have a sneaking suspicion that all this approach was going to do is move the most rewarding attack surface from the O/S itself to the browser sandbox.
*Then again, maybe not. Think about ChromeOS. Under that model, does the fact that your botnet client is running in the browser sandbox rather than in the O/S kernel make it any less effective? I'll grant it'd be a sight easier to remove and probably more tricky to make persistant.
Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.
Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.
The anticipated result will be fewer extensions and less innovation, according to several extension developers.
Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.
The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.
AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation.
Google is winding down its messaging app Hangouts before it officially shuts in November, the web giant announced on Monday.
Users of the mobile app will see a pop-up asking them to move their conversations onto Google Chat, which is yet another one of its online services. It can be accessed via Gmail as well as its own standalone application. Next month, conversations in the web version of Hangouts will be ported over to Chat in Gmail.
Updated Another kicking has been leveled at American tech giants by EU regulators as Italy's data protection authority ruled against transfers of data to the US using Google Analytics.
The ruling by the Garante was made yesterday as regulators took a close look at a website operator who was using Google Analytics. The regulators found that the site collected all manner of information.
So far, so normal. Google Analytics is commonly used by websites to analyze traffic. Others exist, but Google's is very much the big beast. It also performs its analysis in the USA, which is what EU regulators have taken exception to. The place is, after all, "a country without an adequate level of data protection," according to the regulator.
After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.
"For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."
Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.
A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit.
The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.
In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed.
Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.
The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.
As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.
Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).
RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.
We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.
Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.
US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions.
In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.
Biting the hand that feeds IT © 1998–2022