Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers
If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers. Details are intentionally scant until enough of …
-
-
Sunday 7th February 2021 16:59 GMT bombastic bob
Re: Cross reference (very)
I wonder if Google'w bureaucratically minded approach was already being used for the browser's updates...
If so, I'll LAUGH EVEN HARDER!
Though maybe the _REAL_ problem is the way web browsers have diverted from displaying hypertext mixed with graphics and interactive links into a "mini-OS" of sorts, written in of all things, JavaScript.
maybe they'll bother to fix another memory bug I've observed (and others online have been reporting for YEARS), where [under certain conditions] if you leave a page open that frequently "phones home" and does a periodic query across the network (let's say updating status text, like a weather monitor), that in a particular use case the memory footprint will slowly increase until something crashes. It's been like this, since, forever I think.
-
Sunday 7th February 2021 23:18 GMT Arthur Daily
Re: Cross reference (very)
A very insightful comment. Although the real operating system should simply manage the memory and stack getmains, and terminate the task when it exceeds some threshold. A three line recursive function should not crash the system! However bad players are now doing exactly that, repeating for each keyword/function that drive under-the-cover privileged connections.
Calling OS security as fast as you can, recursively is an excellent test. One dumb govt entity decided 'forms' was the way to go, with each field needing a call to see whether or not to display that field! The 1 minute response times to display that form .. classic.
You allude that when a network connection breaks or server not responding orphaning memory or token passes, or some variant of sticky not-quite-a-cookie. I can tell you IBM MVS solved this by having doubly linked lists, and checking counters for each push/pop, and tracking total memory use by pools - that also generated warnings. That was 45 years ago or longer.
Going forward Google needs to spend time on memory housekeeping, because programmers seem to only look at adding cruft, without the big picture. IBM created about 10 different ways to cancel a task, and several ways to FORCE terminate things with prejudice. And sometimes free Whiskey for reporting extremely rare one byte memory leaks to system programmers.
-
-
-
-
-
Friday 5th February 2021 16:51 GMT mark l 2
Re: Atchoo!
There are more than 2 browser engines. So its not just Firefox users that can benefit from not being based on the Chromium based browser.
The biggest none Chromium based browser is Safari which comes as the default browser on every Apple device so has millions of active users.
I use Linux though so its not available on that platform, but I could install Konqueror and set it to use webkit engine
-
-
Monday 8th February 2021 09:08 GMT Lee D
Re: Atchoo!
By the same token, we can fix all those browsers with one patch imported to them all, and we have however-many-more independent eyes looking at the code for problems.
The second you use a shared library, you have a "mono-culture" as you say.
The problem with IE was not the mono-culture... in fact the problem with IE was almost the opposite. No other browser used IE as its base, nobody was able to review the code, and yet it was often used as the default underlying things like basic web protocol association in local software / help files showing just plain HTML files.
The BIGGER problem with IE is that it had no reasonable permissions layer or restrictions and almost anything could shove an ActiveX control of its choice in your face with full user permissions. Software used to use it, websites used to use it, and malware used to use it. A security layer problem that was basically never properly solved until they actually removed IE / ActiveX itself.
Chrome doesn't have that - the browser DOM is pretty much locked down and even where you choose to do stupid things, you have to jump through hoops and the layering and the permission control is so much better than ActiveX ever had. Nowhere near perfect but so long as you don't install stuff that needs "to read all your websites" (a permission that never should have existed and is being phased out), the browser DOM contains things pretty damn well. It's almost a virtual machine.
If you want a demo, program something in Emscripten which converts to Webassembly or asmjs. You'll find that you can't access local files, you can't send arbitrary packets, you can't get into the user's machine and you can't do quite a lot of stuff. But you have functionality enough to write an online, multiplayer, 3D-accelerated game with sound and mouse/keyboard control. Just nothing that allows you to do anything you DON'T need to do, and nothing that the user can't just close the tab to get rid of.
-
Monday 8th February 2021 13:28 GMT nematoad
Re: Atchoo!
"No other browser used IE as its base, "
IE was the base.
Yes Netscape Navigator was around, but due to the shady dealings by MS it got shunted to the side. Hence the lawsuit in 2001 which found that MS hindered users and OEMs from uninstalling IE as part of their attempts to maintain their monopoly in the OS market.
Basically you used IE or found websites behaving in odd and unpredictable ways along with warnings like; "Best viewed using Internet Explorer."
-
Tuesday 9th February 2021 10:58 GMT Lee D
Re: Atchoo!
I was around then.
I started on Netscape, if you don't count DOS-based gopher-ing. Then Opera, probably, then Firefox, then Chrome and Chrome-based browsers.
I have never used IE in my life outside of literally stupendous banking websites that required it to plug in their own ActiveX for a card-reader in ridiculous ways "for security" as part of my work on finance systems. Otherwise, I've never loaded it in my life, except accidentally.
There wasn't a point at which IE was necessary for day-to-day browsing (My Amazon account is 20 years old this year, I think) except on tiny niche sites that deliberately made that decision, but my point was really that nobody ever made an "IE-clone" that used IE underneath it, like people use Chromium to make other browsers now.
-
-
-
-
Friday 5th February 2021 17:07 GMT tiggity
bug page
I went to look at the bug page, but gave up.
Showed FA (as I have most JS off, just a few things whitelisted).
Thought, I'll give it benefit of the doubt, but cautiously enabling one thing led to whole cascade chains of other script s needed to view the page, so I gave up.
.. I only wanted to find out if browsing with JS off protected you from the bug, but a bit of a catch-22 to find out
Basically, if a web site does not show basic information without javascript enabled it can f*** right off
-
-
Monday 8th February 2021 05:58 GMT Arthur Daily
Re: And they want...
See https://copperhead.co/android/
Why can't Goolge step up to the plate? I understand it can feed user pre-selected false bogus garbage to the mothership.
Nah, maybe not for google who do not want to give end users actual security granularity, or deny tracking.
So far, not a single app that will scramble secretive backchannel data exfiltrations. Nice to know botnets are now using this for C&C, as it gets past filtering.
-
-
Sunday 7th February 2021 20:14 GMT ovation1357
Re: Mozilla Firefox
I'm generally loving Firefox developer edition although it can be a bit of a resource hog (which isn't really any different from Chrome TBH).
I was really chuffed to discover 'about: memory' the other day, which not only can give you a very detailed analysis of RAM usage but also has a button to minimise memory usage that actually seems to work.
-
-
-
Saturday 6th February 2021 23:36 GMT Duncan Macdonald
Re: "the flaw exists in [..] Chromium's Javascript engine"
The main problem with Javascript is that users have no way of knowing what the scripts on a page actually do. Try using the view source option (available on many browsers) on the Google home page - hundreds of lines of compressed Javascript some of which are over 500 characters long.
Add to that dynamically chosen adverts that mean the source changes every minute and Javascript is a security nightmare even if there are no bugs in the browser.
Icon for what Javascript has become =========================>
-
Sunday 7th February 2021 17:00 GMT bombastic bob
Re: "the flaw exists in [..] Chromium's Javascript engine"
blocking script is the only way to be "safe". Unfortunately a lot of sites break when you do this. Although I can avoid them 99% of the time, I still have a "special login" that runs without noscript, for those times when I have to cave to their nonsense.
Hint to El Reg: Script is why ads should be showing up on my browser, but they don't. You could fix that, and ALSO show the world that you do NOT need script in ads. Win-Win
-
Monday 8th February 2021 18:19 GMT Marco Fontani
Re: "the flaw exists in [..] Chromium's Javascript engine"
Script is why ads should be showing up on my browser, but they don't.
I fear that might be an ad blocker or an extension or something else, as most of our ad fragments contain a "noscript" tag which ought to deliver image-based ads to users with JS disabled.
This is testable by actively disabling the browser's whole JS feature (i.e. "javascript.enable" set to false in FF's settings, or similar "javascript" set to "Off" in Chrome) and seeing that ads do indeed get delivered on a pristine browser in such a scenario.
Some extensions break that scenario as while they do block scripts from being executed, they don't seem to also properly allow "noscript" tags to be executed :/
If you want to block all JS, you can configure your browser to do just that. Noscript is something else, and it's much harder for us to work around (and show ads to people who want to keep JS "disabled" but would still be fine seeing ads).
-
-
Monday 8th February 2021 01:03 GMT thejynxed
Re: "the flaw exists in [..] Chromium's Javascript engine"
Well, at least Eich apologized for the lax security standards in JS when he got raked over the coals about it on HackerNews and there actually are certain functions in the language that he would not add if he could go back and redo it. Unfortunately too much has been built on it and we're all royally shafted by every bad actor and advertising nitwit as a result.
-
