back to article If you're an update laggard, buck up: Chrome zero-days are being exploited in the wild

Patch Google Chrome with the latest updates – if you don't, you're vulnerable to a zero-day that is actively being exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned. Criminals are targeting users of Chrome with outdated installations, CISA said in an advisory note urging folk to update their …

  1. Throatwarbler Mangrove Silver badge
    Happy

    Ha ha, I run Edge!

    My hierarchy of commonly-installed browsers:

    Firefox (with uBlock Origin, etc.) for most browsing

    Edge for more relaxed browsing restrictions and Chrome compatibility

    Chrome for when dipshit Web developers have explicitly coded their crap to Chrome exclusively

    It's ironic that Edge is more secure than Chrome, don'cha think?

    1. sev.monster Bronze badge
      Unhappy

      Re: Ha ha, I run Edge!

      Since Edge uses Chromium and as such V8, you are most certainly vulnerable. MS has already released updates.

      Modern Edge is just a fancy Chromium wrapper—a shittier Vivaldi, if you will. Legacy nor modern Edge bring anything new to the table, and frankly I don't see why anyone uses them other that they come standard with the workstation editions of Windows 10... If I have to use Windows I use 10 Enterprise LTSC so I don't even have any version of Edge installed :)

      I would at least have more respect for your flippant attitude if you were using legacy Chromium, which uses an independent rendering engine, meaning not Chromium or IE. Don't recall what it used for JS etc., though...

    2. Anonymous Coward
      Anonymous Coward

      Re: Ha ha, I run Edge!

      For me at work it's:

      Edge v44 (aka Legacy Edge, corp. IT rolls software out slowly)

      IE11 for sites that don't work because my Edge install is too new/too old.

      Chrome used on a lab computer for a "temporary" workaround to an internal tool that doesn't work on Edge or current IE (another corp. group is working on that one)

      Chrome is also on my work laptop after a frantic download to connect to a google meet.

      At home:

      Firefox (with a handfull of privacy extensions)

      Chrome (only for gmail and related activity, and paying my Centurylink bill, since their shitty website wasn't working with FF)

  2. heyrick Silver badge
    Coat

    Tin foil hat brigade

    What they really want is to scare everybody into updating to the latest version of Chrome that tracks everything you do to report back to the mothership, but is a little better at hiding that it is doing so...

    1. quartzz

      Re: Tin foil hat brigade

      provable? not by me

      believable? ..yes

    2. Anonymous Coward
      Anonymous Coward

      Re: Tin foil hat brigade

      I agree about the scare tactics and the update harvesting more than before.

      Google should provide the updates seperately if OS problem or option not to allow yet more slurp if app specific

  3. Lorribot Silver badge

    This affects all Chromium browsers, there have been a number of updates applied to Vivaldi and Edge over the last few days.

    What I find disappointing is that Chromium browsers don't always seem to update automatically, you have to go in to Help About to trigger the update in Edge which is pants really but I guess people get upset when Microsoft stuff auto updates. Vivaldi seems to check for updates on start up and then offer to apply whilst Firefox seems to be a bit more random. Don't know about Google Chrome as I don't use Google stuff if at all possible, but the fact that people are being told to update is not a good sign.

  4. RM Myers Silver badge
    Thumb Down

    Google Responsibly

    Regardless of the scanty information – easily explained by Google, quite responsibly, not wanting to hand every script kiddie on the internet information on how to pwn slow-to-update folk...

    But not so much responsibly when reporting vulnerabilities in non-Google products: https://www.theregister.com/2020/11/03/google_project_zero_github_flaw_deadline/

    1. sev.monster Bronze badge

      Re: Google Responsibly

      Do as I say, not as I do.

      — Chocolate Bounce House

    2. sabroni Silver badge

      Re: But not so much responsibly when reporting vulnerabilities in non-Google products

      Just what I came to say!

      Was the author deliberately trolling or just poorly informed? Neither is a good look for a journalist.

    3. Michael Wojcik Silver badge

      Re: Google Responsibly

      Sigh.

      The github issue was disclosed to them 104 days ago: 90 days plus the 14-day grace period. That's how responsible disclosure policies work.

      github themselves disclosed technical details about the Github Actions vulnerabilities.

      Google have disclosed the Chrome issue discussed in the article. They just haven't released technical details.

      Are these details really that hard to understand?

      1. RM Myers Silver badge
        FAIL

        Re: Google Responsibly

        Github disclosed some details about the vulnerabilities, Google disclosed more details and provided example exploit code. Also, as someone else has mentioned, Google Project Zero treats a vulnerability being exploited in the wild the same as one past the 90 day time period, except obviously if it is a Google product. And yes, releasing the technical details on a vulnerability without a fix, and which Google themselves agrees is very difficult to fix, but not releasing the technical details on a vulnerability with a fix does qualify as a double standard.

  5. RyokuMas Silver badge
    Coat

    Start the clock...

    "... Chrome zero-days are being exploited in the wild

    So we can expect to see full details of these vulnerabilities made public in seven days time... because that's "responsible disclosure", right?

  6. JCitizen Bronze badge
    FAIL

    I had to totally restart the PC..

    To get this update to relaunch the browser! WTF!! I've never had trouble updating Chrome before! I couldn't get it to relaunch after downloading the update, so I restarted the PC and started all over again, to finally get it updated. Weird! The other odd thing, was I cleaned all my files, and yet Chrome remember where I left off even after cleaning and restarting! That has never happened before either?! Maybe the previous version was tracking every page I had open and sending that information back to the browser once connected to the web again? I don't know - makes no sense.

    Also Chrome didn't tell me it was time to update like it usually does before; I only knew to check after reading this article!

    1. Anonymous Coward
      Anonymous Coward

      Re: I had to totally restart the PC..

      Session storage by default keeps state if the browser does not shut down cleanly, which it sounds like happened!! And what do you mean clean, and what files! Did you take a duster to them!

      I feel like you might need to learn a bit more about how your browser works! Turning it (the computer) off and on again isn't a great solution because it results in never learning the cause of things!!

  7. Claptrap314 Silver badge

    Is Chromium the new Flash?

    "Free" products produced by companies addicted to telemetry, producing a constant stream of moderate to severe security issues.

    Just no.

    1. sev.monster Bronze badge

      Re: Is Chromium the new Flash?

      Only workable alternatives are the aged Gecko with the bastards that are Mozilla tanking it into the floor every patch, and WebKit aka that thing Blink forked from.

      Servo looks interesting but it isn't stable or feature-complete yet.

      Everything else is not worth anyone's time if you care about spec conformity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021