back to article Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers

If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being "actively exploited" in the older version of Chrome that will also affect other vendors' browsers. Details are intentionally scant until enough of …

  1. Greybearded old scrote Silver badge
    FAIL

    Cross reference (very)

    I think somebody was bleating about Open Source security failures recently.

    1. bombastic bob Silver badge
      Devil

      Re: Cross reference (very)

      I wonder if Google'w bureaucratically minded approach was already being used for the browser's updates...

      If so, I'll LAUGH EVEN HARDER!

      Though maybe the _REAL_ problem is the way web browsers have diverted from displaying hypertext mixed with graphics and interactive links into a "mini-OS" of sorts, written in of all things, JavaScript.

      maybe they'll bother to fix another memory bug I've observed (and others online have been reporting for YEARS), where [under certain conditions] if you leave a page open that frequently "phones home" and does a periodic query across the network (let's say updating status text, like a weather monitor), that in a particular use case the memory footprint will slowly increase until something crashes. It's been like this, since, forever I think.

      1. Arthur Daily

        Re: Cross reference (very)

        A very insightful comment. Although the real operating system should simply manage the memory and stack getmains, and terminate the task when it exceeds some threshold. A three line recursive function should not crash the system! However bad players are now doing exactly that, repeating for each keyword/function that drive under-the-cover privileged connections.

        Calling OS security as fast as you can, recursively is an excellent test. One dumb govt entity decided 'forms' was the way to go, with each field needing a call to see whether or not to display that field! The 1 minute response times to display that form .. classic.

        You allude that when a network connection breaks or server not responding orphaning memory or token passes, or some variant of sticky not-quite-a-cookie. I can tell you IBM MVS solved this by having doubly linked lists, and checking counters for each push/pop, and tracking total memory use by pools - that also generated warnings. That was 45 years ago or longer.

        Going forward Google needs to spend time on memory housekeeping, because programmers seem to only look at adding cruft, without the big picture. IBM created about 10 different ways to cancel a task, and several ways to FORCE terminate things with prejudice. And sometimes free Whiskey for reporting extremely rare one byte memory leaks to system programmers.

  2. AnAnonymousCanuck

    Chrome and Chromium are bugs, web bugs reporting everything to Google..

    YMMV (actually it's Google so it won't)

    AAC

  3. nematoad Silver badge
    Unhappy

    Atchoo!

    "The V8 vuln affects Chromium-based browsers in general and not just Google Chrome itself. "

    Ah the joys of a monoculture! Didn't we go through this once before with IE?

    Looks like Chrome caught a cold and everyone sneezes.

    1. Dan 55 Silver badge

      Re: Atchoo!

      Well, everybody except Firefox.

      1. mark l 2 Silver badge

        Re: Atchoo!

        There are more than 2 browser engines. So its not just Firefox users that can benefit from not being based on the Chromium based browser.

        The biggest none Chromium based browser is Safari which comes as the default browser on every Apple device so has millions of active users.

        I use Linux though so its not available on that platform, but I could install Konqueror and set it to use webkit engine

        1. markmaxwell

          Re: Atchoo!

          Safari is also a WebKit engine-based browser. WebKit, Gecko, then libcurl probably. Unless you mean, V8 engine?

      2. MacroRodent Silver badge

        Re: Atchoo!

        Yes. Demonstrates how it is in everyone's (even Google's) interest to keep the Mozilla project alive.

    2. Lee D

      Re: Atchoo!

      By the same token, we can fix all those browsers with one patch imported to them all, and we have however-many-more independent eyes looking at the code for problems.

      The second you use a shared library, you have a "mono-culture" as you say.

      The problem with IE was not the mono-culture... in fact the problem with IE was almost the opposite. No other browser used IE as its base, nobody was able to review the code, and yet it was often used as the default underlying things like basic web protocol association in local software / help files showing just plain HTML files.

      The BIGGER problem with IE is that it had no reasonable permissions layer or restrictions and almost anything could shove an ActiveX control of its choice in your face with full user permissions. Software used to use it, websites used to use it, and malware used to use it. A security layer problem that was basically never properly solved until they actually removed IE / ActiveX itself.

      Chrome doesn't have that - the browser DOM is pretty much locked down and even where you choose to do stupid things, you have to jump through hoops and the layering and the permission control is so much better than ActiveX ever had. Nowhere near perfect but so long as you don't install stuff that needs "to read all your websites" (a permission that never should have existed and is being phased out), the browser DOM contains things pretty damn well. It's almost a virtual machine.

      If you want a demo, program something in Emscripten which converts to Webassembly or asmjs. You'll find that you can't access local files, you can't send arbitrary packets, you can't get into the user's machine and you can't do quite a lot of stuff. But you have functionality enough to write an online, multiplayer, 3D-accelerated game with sound and mouse/keyboard control. Just nothing that allows you to do anything you DON'T need to do, and nothing that the user can't just close the tab to get rid of.

      1. nematoad Silver badge
        Unhappy

        Re: Atchoo!

        "No other browser used IE as its base, "

        IE was the base.

        Yes Netscape Navigator was around, but due to the shady dealings by MS it got shunted to the side. Hence the lawsuit in 2001 which found that MS hindered users and OEMs from uninstalling IE as part of their attempts to maintain their monopoly in the OS market.

        Basically you used IE or found websites behaving in odd and unpredictable ways along with warnings like; "Best viewed using Internet Explorer."

        1. Lee D

          Re: Atchoo!

          I was around then.

          I started on Netscape, if you don't count DOS-based gopher-ing. Then Opera, probably, then Firefox, then Chrome and Chrome-based browsers.

          I have never used IE in my life outside of literally stupendous banking websites that required it to plug in their own ActiveX for a card-reader in ridiculous ways "for security" as part of my work on finance systems. Otherwise, I've never loaded it in my life, except accidentally.

          There wasn't a point at which IE was necessary for day-to-day browsing (My Amazon account is 20 years old this year, I think) except on tiny niche sites that deliberately made that decision, but my point was really that nobody ever made an "IE-clone" that used IE underneath it, like people use Chromium to make other browsers now.

  4. TaabuTheCat

    Chrome is the new Flash

    That is all.

    1. HildyJ Silver badge
      Devil

      Re: Chrome is the new Flash

      To be fair, Chrome is a data sucking leech.

      JavaScript is the new Flash.

      1. bombastic bob Silver badge
        Thumb Up

        Re: Chrome is the new Flash

        "JavaScript is the new Flash"

  5. Vic-21

    I.E.

    This would never have happened with ie

    1. Greybearded old scrote Silver badge

      Re: I.E.

      You forgot the Joke icon. Or maybe the troll.

  6. tiggity Silver badge

    bug page

    I went to look at the bug page, but gave up.

    Showed FA (as I have most JS off, just a few things whitelisted).

    Thought, I'll give it benefit of the doubt, but cautiously enabling one thing led to whole cascade chains of other script s needed to view the page, so I gave up.

    .. I only wanted to find out if browsing with JS off protected you from the bug, but a bit of a catch-22 to find out

    Basically, if a web site does not show basic information without javascript enabled it can f*** right off

  7. iron Silver badge

    Other V8 Users?

    So how does this affect other platforms that incorporate V8 like Electron and Node.js and all the software built on those platforms.

    Do they have patches available?

    1. Brewster's Angle Grinder Silver badge

      Re: Other V8 Users?

      It's only a problem if you're loading arbitrary javascript.

      That's probably not true for node. (Modulo someone smuggling it into an npm module.) But electron/nwjs might well be loading pages from the world wild web.

  8. fidodogbreath Silver badge

    "actively being abused by bad folks"

    Maybe they're just good folks who sometimes do bad things.

    /s

  9. IGotOut Silver badge

    And they want...

    ...you yo allow the browser directly talk to your external hardware.

    No thanks.

    1. Paul Crawford Silver badge

      Re: And they want...

      If I could upvote you a hundred times!

      Actually make it 404

    2. Arthur Daily

      Re: And they want...

      See https://copperhead.co/android/

      Why can't Goolge step up to the plate? I understand it can feed user pre-selected false bogus garbage to the mothership.

      Nah, maybe not for google who do not want to give end users actual security granularity, or deny tracking.

      So far, not a single app that will scramble secretive backchannel data exfiltrations. Nice to know botnets are now using this for C&C, as it gets past filtering.

  10. Version 1.0 Silver badge

    I just checked, Chrome says

    Google Chrome is up to date, Version 88.0.4324.150 (Official Build) (64-bit)

    Tomorrows bugs will be moved fixed in a day or two.

  11. mickaroo
    Linux

    Mozilla Firefox

    I'm enjoying my moment of smugness...

    1. ovation1357

      Re: Mozilla Firefox

      I'm generally loving Firefox developer edition although it can be a bit of a resource hog (which isn't really any different from Chrome TBH).

      I was really chuffed to discover 'about: memory' the other day, which not only can give you a very detailed analysis of RAM usage but also has a button to minimise memory usage that actually seems to work.

  12. Pascal Monett Silver badge
    Thumb Down

    "the flaw exists in [..] Chromium's Javascript engine"

    Javascript, again.

    And again, and again.

    Just block JS by default and the Internet will be a safer place.

    NoScript FTW.

    1. Duncan Macdonald Silver badge
      FAIL

      Re: "the flaw exists in [..] Chromium's Javascript engine"

      The main problem with Javascript is that users have no way of knowing what the scripts on a page actually do. Try using the view source option (available on many browsers) on the Google home page - hundreds of lines of compressed Javascript some of which are over 500 characters long.

      Add to that dynamically chosen adverts that mean the source changes every minute and Javascript is a security nightmare even if there are no bugs in the browser.

      Icon for what Javascript has become =========================>

    2. bombastic bob Silver badge
      Megaphone

      Re: "the flaw exists in [..] Chromium's Javascript engine"

      blocking script is the only way to be "safe". Unfortunately a lot of sites break when you do this. Although I can avoid them 99% of the time, I still have a "special login" that runs without noscript, for those times when I have to cave to their nonsense.

      Hint to El Reg: Script is why ads should be showing up on my browser, but they don't. You could fix that, and ALSO show the world that you do NOT need script in ads. Win-Win

      1. Marco Fontani (Written by Reg staff)

        Re: "the flaw exists in [..] Chromium's Javascript engine"

        Script is why ads should be showing up on my browser, but they don't.

        I fear that might be an ad blocker or an extension or something else, as most of our ad fragments contain a "noscript" tag which ought to deliver image-based ads to users with JS disabled.

        This is testable by actively disabling the browser's whole JS feature (i.e. "javascript.enable" set to false in FF's settings, or similar "javascript" set to "Off" in Chrome) and seeing that ads do indeed get delivered on a pristine browser in such a scenario.

        Some extensions break that scenario as while they do block scripts from being executed, they don't seem to also properly allow "noscript" tags to be executed :/

        If you want to block all JS, you can configure your browser to do just that. Noscript is something else, and it's much harder for us to work around (and show ads to people who want to keep JS "disabled" but would still be fine seeing ads).

    3. thejynxed

      Re: "the flaw exists in [..] Chromium's Javascript engine"

      Well, at least Eich apologized for the lax security standards in JS when he got raked over the coals about it on HackerNews and there actually are certain functions in the language that he would not add if he could go back and redo it. Unfortunately too much has been built on it and we're all royally shafted by every bad actor and advertising nitwit as a result.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021