Google issues third emergency fix for Chrome this year Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. The emergency updates the company issued this week impact the almost three billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, …
practice "safe surfing". One aspect already mentioned, NOT surfing the web with administrator privileges
I go one step further - do not surf the web on a WINDOWS computer (and use NoScript type plugins whenever possible, especially when following links to sites you have not been to before and do not already trust and even THEN, limit what runs or sandbox the browser)
that, and not reading mail in HTML form - text only (does Micros~1 mail program use the chrome engine to display HTML mail? yeah NOBODY ever e-mails spam with vulnerabilities and/or script in them)
anyway, captain obvious for the rest of it
-> practice "safe surfing".
In practice this is impossible if you are going to browse the web at all. Practically every site these days slurps in great chunks of javascript from third-party web sites. You think you are being sensible browsing to somesafewebsite.com, but in the background it has included all manner of junk without you knowing about it (unless you look).
Another good reason to block all JavaScript by default.
Use NoScript on Firefox and ScriptSafe on Chrome.
Yes, it means that some websites are broken-by-default until you whitelist one of the umpteen-zillion javascript domains, but that's a price worth paying IMO.
It has the added side-effect that I don't need a blacklist-based adblocker or privacy guard, because all ads and tracking cookies are pulled in via Javascript. e.g. on the Reg, I am allowing scripts from "forums.theregister.com", but those that it tries to load from "securepubads.g.doubleclick.net", "googletagmanager.com" and "google-analytics.com" are thoroughly BLOCKED.
> So you use two browsers that could potentially have insecurities or flaws
"potentially" is better than *definitely*
Barely 3 weeks before this, we had CVE 2022-0609 (https://threatpost.com/google-chrome-zero-day-bugs-exploited-weeks-ahead-of-patch/179103/ -- you don't even need to click it; the URL says it all)
Almost always, 'type confusion' results from developer inattention. However any decent method library should trap such errors. Way back (40 odd years ago) we were writing validation wrappers around 'hazardous' C functions to do just that. The practice seems to have fallen by the wayside.
Until we've seen the bug, we don't really know what's gone on.
But Chrome is C++ so the compiler will tell them if they've got function invocation wrong. It's got to be a bit more subtle than that - probably concerned with one of the javascript interpreters or compilers.
"The Chrome updates will be applied in the coming days and weeks, with Chrome automatically installing them when the browser is closed and relaunched."
Which, of course, no-one in their right mind would allow. If I'm on a customer's network, the last thing I want to do is download updates or have some dumbass application decide to download them on its own.
While they are messing about with this, it would be nice if Google could fix a problem they have created on Chromebooks, where RealVNC's VNC Connect application is now broken. RealVNC hasn't changed anything, and it still works on all my other machines, but not on my Chromebook.
Seems it is a less problem according to reviews, the mots common being a failure to update. The 2nd most common looks to be ads making me wonder if that is the sign of an infection.
Beta is working. For now, I am reticent to clear the useful cache in the none working Chrome.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
