Microsoft Finds Critical Hole In ChromeOS (theregister.com) 31
joshuark writes: Microsoft has found a bug in ChromeOS and given it a high vulnerability 9.8 out of 10. The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022. This is a reversal in that Google usually finds security bugs in software from Microsoft and other vendors after typically 90 days -- even if a patch had not been released -- in the interest of forcing companies to respond to security flaws more quickly. [...] The ChromeOS memory corruption vulnerability -- CVE-2022-2587 -- was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.
Having fixed all issues with their own stuff... (Score:5, Funny)
Re: (Score:3)
Yeah, there is a phrase, remove the beam from thine own eye before you remove the mote in gods eye
or something like that
Re:Having fixed all issues with their own stuff... (Score:4, Interesting)
Maybe they perceive ChromeOS as a competitive threat? (My initial reaction to the story.) One of my friends is sort of on the education side, and it seems like there's a pretty big battle going on between Microsoft's funky little computers and the Chromebooks. But I can remember when the schools were in Apple's territory (but my fuzzy impression now is that Apple has mostly overpriced themselves down to the richest schools).
Having said that, I can't see why MS would be worried about ChromeOS. I bought a Chromebook some months ago and have pretty much given up trying to find anything that it is the best tool for. I still use it for various minor tasks, and I like the portability, but it doesn't seem to do anything well. However I'm not sure if I should blame the OS or Lenovo.
So does anyone have any practical advice about how to configure a Duet as an Android tablet? When I had one of those it was pretty good for language study games. The smartphone screens are too small to stare it for a long time.
Re:Having fixed all issues with their own stuff... (Score:4)
Maybe they perceive ChromeOS as a competitive threat?
Google seems to use Project Zero as a PR tool, so it's not surprising Microsoft would do the same when it has a chance. The end result is more secure software, which is the main thing.
Re: (Score:2)
More secure software? Have you looked around lately? Or even worse, have you tried to look deeply INTO (the eyes of) any of your apps these years?
Or maybe you're going for funny again? If so, congratulations of the subtle humor.
Re: (Score:2)
The software is more secure if MS and Google hunt bugs in each others' products than if they weren't to do that. That doesn't mean it's any more or less secure than some arbitrary standard.
Re: (Score:2)
I keep feeling like my main point is being ignored for the convenience of the reply. Maybe I should have backed all the way up to the question of liability.
Or maybe I blame Microsoft too much for breaking the link between bad software and liability for the harms thereof? Would you agree that we would have extremely different software if the people who profited from selling it had to pay for the damages?
Re: (Score:2)
Oh, I do think the current state of software is abysmal. I hate the whole "release broken, patch later" attitude. And then you don't want to update because you know it's going to break something else. Yes, I do think it would be a good thing if software vendors could be held to account for releasing software that isn't fit for purpose, or causing damage through negligence. Referring to most programmers as "software engineers" is an insult to engineers who have to design things that actually need work an
Re: (Score:2)
Or they want ChromeOS to succeed as well.
You forget that Microsoft today is about services. ChromeOS is part of that plan, being able to participate in the Office365 ecosystem.
While they'd love if you'd used Windows and Office, they won't be terribly upset if you use Office365 instead.
I'm sure during testing of Office365 on ChromeOS they found an odd thing they needed to report. After all, it affects them indirectly as well.
Re: (Score:2)
Let Microsoft (or the google) stick a hand in my wallet? No thanks. It would only mean closely watching my wallet 365 days a year.
But I don't really buy the premise of your argument. When a company has become that dominant, there is not much room for honest growth of profit, but the problematic demand for larger profits is never satiated.
Re: (Score:2)
The bug fixing department at Microsoft must be enormous, given the hundreds of millions they've produced over the years. Maybe they're a bit under utilised now IE's gone, so they've got time to look at other people's stuff.
Re: (Score:3, Interesting)
Re: (Score:3)
Data point: While working for Microsoft at one of our enterprise customers I regularly helped that customer with their Chromebooks.
Did we compete for the Chromebook business? Oh yes, absolutely. That said, once the kit was in place we worked with them to give their users a good experience.
This is not Steve Balmer's Microsoft.
Re:Service names (Score:5, Informative)
There are several naming schemes that use reversed hierarchical DNS schemes. It's a way of having a UUID with no collisions because each vendor uses their own namespace.
https://en.wikipedia.org/wiki/... [wikipedia.org]
strcpy - danger danger (Score:1)
The horror, won't someone think about the softwarze?
Updates (Score:4, Insightful)
Now let's thank Google for continuing to provide browser updates for all Chrome OS devices regardless of age. Oh wait...
Re: (Score:2)
Oh, yeah, if you have an old PC Google now has a ChromeOS you can install on it.
Unless it's a Chromebook.
Re: (Score:1)
The world is a dangerous place (Score:2)
Re: The world is a dangerous place (Score:3)
It was C code, not C++, though. Otherwise, I agree. This is clearly a case in which boundaries weren't checked.
Re: (Score:3)
C++ doesn't segfault programs, programmers segfault programs!
Well, isn't that special. (Score:1)
Microsoft found a bug!
We should encourage them in their endeavors. Then maybe they will start looking for bugs in Windows...
But not in pulseaudio? (Score:2)
"Reversal"? Where? (Score:2)
Google fixed things promptly, while MS sometimes does not have a fix out after 90 days. What is supposed to be reversed in this case?
Not fucking strcpy! (Score:2)
OMG, next thing you know they used memcpy too!