Cross reference (very)
I think somebody was bleating about Open Source security failures recently.
If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers. Details are intentionally scant until enough of …
I wonder if Google'w bureaucratically minded approach was already being used for the browser's updates...
If so, I'll LAUGH EVEN HARDER!
maybe they'll bother to fix another memory bug I've observed (and others online have been reporting for YEARS), where [under certain conditions] if you leave a page open that frequently "phones home" and does a periodic query across the network (let's say updating status text, like a weather monitor), that in a particular use case the memory footprint will slowly increase until something crashes. It's been like this, since, forever I think.
A very insightful comment. Although the real operating system should simply manage the memory and stack getmains, and terminate the task when it exceeds some threshold. A three line recursive function should not crash the system! However bad players are now doing exactly that, repeating for each keyword/function that drive under-the-cover privileged connections.
Calling OS security as fast as you can, recursively is an excellent test. One dumb govt entity decided 'forms' was the way to go, with each field needing a call to see whether or not to display that field! The 1 minute response times to display that form .. classic.
You allude that when a network connection breaks or server not responding orphaning memory or token passes, or some variant of sticky not-quite-a-cookie. I can tell you IBM MVS solved this by having doubly linked lists, and checking counters for each push/pop, and tracking total memory use by pools - that also generated warnings. That was 45 years ago or longer.
Going forward Google needs to spend time on memory housekeeping, because programmers seem to only look at adding cruft, without the big picture. IBM created about 10 different ways to cancel a task, and several ways to FORCE terminate things with prejudice. And sometimes free Whiskey for reporting extremely rare one byte memory leaks to system programmers.
There are more than 2 browser engines. So its not just Firefox users that can benefit from not being based on the Chromium based browser.
The biggest none Chromium based browser is Safari which comes as the default browser on every Apple device so has millions of active users.
I use Linux though so its not available on that platform, but I could install Konqueror and set it to use webkit engine
By the same token, we can fix all those browsers with one patch imported to them all, and we have however-many-more independent eyes looking at the code for problems.
The second you use a shared library, you have a "mono-culture" as you say.
The problem with IE was not the mono-culture... in fact the problem with IE was almost the opposite. No other browser used IE as its base, nobody was able to review the code, and yet it was often used as the default underlying things like basic web protocol association in local software / help files showing just plain HTML files.
The BIGGER problem with IE is that it had no reasonable permissions layer or restrictions and almost anything could shove an ActiveX control of its choice in your face with full user permissions. Software used to use it, websites used to use it, and malware used to use it. A security layer problem that was basically never properly solved until they actually removed IE / ActiveX itself.
Chrome doesn't have that - the browser DOM is pretty much locked down and even where you choose to do stupid things, you have to jump through hoops and the layering and the permission control is so much better than ActiveX ever had. Nowhere near perfect but so long as you don't install stuff that needs "to read all your websites" (a permission that never should have existed and is being phased out), the browser DOM contains things pretty damn well. It's almost a virtual machine.
If you want a demo, program something in Emscripten which converts to Webassembly or asmjs. You'll find that you can't access local files, you can't send arbitrary packets, you can't get into the user's machine and you can't do quite a lot of stuff. But you have functionality enough to write an online, multiplayer, 3D-accelerated game with sound and mouse/keyboard control. Just nothing that allows you to do anything you DON'T need to do, and nothing that the user can't just close the tab to get rid of.
"No other browser used IE as its base, "
IE was the base.
Yes Netscape Navigator was around, but due to the shady dealings by MS it got shunted to the side. Hence the lawsuit in 2001 which found that MS hindered users and OEMs from uninstalling IE as part of their attempts to maintain their monopoly in the OS market.
Basically you used IE or found websites behaving in odd and unpredictable ways along with warnings like; "Best viewed using Internet Explorer."
I was around then.
I started on Netscape, if you don't count DOS-based gopher-ing. Then Opera, probably, then Firefox, then Chrome and Chrome-based browsers.
I have never used IE in my life outside of literally stupendous banking websites that required it to plug in their own ActiveX for a card-reader in ridiculous ways "for security" as part of my work on finance systems. Otherwise, I've never loaded it in my life, except accidentally.
There wasn't a point at which IE was necessary for day-to-day browsing (My Amazon account is 20 years old this year, I think) except on tiny niche sites that deliberately made that decision, but my point was really that nobody ever made an "IE-clone" that used IE underneath it, like people use Chromium to make other browsers now.
I went to look at the bug page, but gave up.
Showed FA (as I have most JS off, just a few things whitelisted).
Thought, I'll give it benefit of the doubt, but cautiously enabling one thing led to whole cascade chains of other script s needed to view the page, so I gave up.
.. I only wanted to find out if browsing with JS off protected you from the bug, but a bit of a catch-22 to find out
Why can't Goolge step up to the plate? I understand it can feed user pre-selected false bogus garbage to the mothership.
Nah, maybe not for google who do not want to give end users actual security granularity, or deny tracking.
So far, not a single app that will scramble secretive backchannel data exfiltrations. Nice to know botnets are now using this for C&C, as it gets past filtering.
I'm generally loving Firefox developer edition although it can be a bit of a resource hog (which isn't really any different from Chrome TBH).
I was really chuffed to discover 'about: memory' the other day, which not only can give you a very detailed analysis of RAM usage but also has a button to minimise memory usage that actually seems to work.
blocking script is the only way to be "safe". Unfortunately a lot of sites break when you do this. Although I can avoid them 99% of the time, I still have a "special login" that runs without noscript, for those times when I have to cave to their nonsense.
Hint to El Reg: Script is why ads should be showing up on my browser, but they don't. You could fix that, and ALSO show the world that you do NOT need script in ads. Win-Win
Script is why ads should be showing up on my browser, but they don't.
I fear that might be an ad blocker or an extension or something else, as most of our ad fragments contain a "noscript" tag which ought to deliver image-based ads to users with JS disabled.
Some extensions break that scenario as while they do block scripts from being executed, they don't seem to also properly allow "noscript" tags to be executed :/
If you want to block all JS, you can configure your browser to do just that. Noscript is something else, and it's much harder for us to work around (and show ads to people who want to keep JS "disabled" but would still be fine seeing ads).
Well, at least Eich apologized for the lax security standards in JS when he got raked over the coals about it on HackerNews and there actually are certain functions in the language that he would not add if he could go back and redo it. Unfortunately too much has been built on it and we're all royally shafted by every bad actor and advertising nitwit as a result.
Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.
Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.
The anticipated result will be fewer extensions and less innovation, according to several extension developers.
In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.
The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.
Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.
The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.
US PC shipments fell by double digits in the first quarter of 2022, mostly due to the collapse of Chromebook orders, yet the effect of inflation and a greater mix of higher spec machines lifted the value of those sales.
According to data compiled by tech analyst Canalys, some 19.554 million units were shipped into the channel during the three months, down 14 percent year on year, but revenues were up a whopping 40 percent.
This is the third straight quarter of unit sale declines after the "relative strengths of end-user segments changed," said Brian Lynch, research analyst. "The consumer and education segments saw demand slow further due to market saturation and rising concerns about inflation, which peaked in March at 8.5 percent, the highest rate of 12-month increase since 1981."
Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm's Predator spyware in at least three campaigns in 2021, according to Google's Threat Analysis Group (TAG).
The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware.
Based on CitizenLab's analysis of Predator spyware, Google's bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, Indonesia, and possibly other countries.
Mozilla on Wednesday launched a Developer Preview program to solicit feedback on Firefox extensions that implement Manifest v3, a Google-backed revision of browser extension architecture.
Mozilla last year said it intended to support MV3 in Firefox extensions, though with some differences. Its implementation of the WebExtensions API in Firefox has now incorporated enough of MV3 plumbing that developers can set the appropriate browser flags and experiment with MV3 extensions in Firefox v101, now in beta and due for release at the end of May.
Google Chrome is expected to stop supporting extensions created under the old MV2 specification in about a year, June 2023. And given Chrome's share of the browser market – about 64 per cent currently – extension developers will want to have updated their code by then and to have accounted for how MV3 works – or doesn't – in different browsers.
Updated Screencastify, a popular Chrome extension for capturing and sharing videos from websites, was recently found to be vulnerable to a cross-site scripting (XSS) flaw that allowed arbitrary websites to dupe people into unknowingly activating their webcams.
A miscreant taking advantage of this flaw could then download the resulting video from the victim's Google Drive account.
Software developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, published a blog post about his findings on Monday. He said he reported the XSS bug in February, and Screencastify's developers fixed it within a day.
You can imagine the sighs of relief all round in Redmond, Washington this week as Acer launched its new TravelMate range, which has Microsoft's Pluton silicon built-in.
Analysis As a mainstream desktop OS, Linux is doing better than ever. The Year of Linux on the Desktop came some time ago, and it is ChromeOS (Chromebooks were outselling Macs until recently). But there's a problem – there is almost no diversity of design.
Let's count the number of desktop designs in active development. Not desktop projects, different user interfaces. There's GNOME, Ubuntu's Unity somehow still hanging on in there, and Elementary OS's Pantheon. All have a vaguely macOS-like look: a top panel (woefully underused except by Unity, so mostly wasted space) and a dock, which if you are lucky you can reposition.
So, arguably, that's… one.
Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild.
The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi.
It is the third such emergency update Google has had to issue for Chrome this year.
Biting the hand that feeds IT © 1998–2022