Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Chrome IT

Google Discloses Chrome Zero-Day Exploited in the Wild (zdnet.com) 17

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day. From a report: "Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google engineers said in a blog post announcing the new v78.0.3904.87 release. The actively-exploited zero-day was described as a use-aster-free bug in Chrome's audio component. Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios. Google credited Anton Ivanov and Alexey Kulaev, two malware researchers from Kaspersky, with reporting the issue. According to a blog post published after this article's publication, Kaspersky said the zero-day was being used to install malware on user devices. It was being deployed on user devices via a Korean-language news portal.
This discussion has been archived. No new comments can be posted.

Google Discloses Chrome Zero-Day Exploited in the Wild

Comments Filter:
  • by Anonymous Coward
    While the headline is noteworthy, the patch v78.0.3904.87 release could have been more obvious to those of us who don't read the article.
    • It is to get you to go to the site and be manipulated and lied to in order to waste money on a criminal, called "advertiser", who paid the site do lure you in for him.

      So why would they put the key info in here?

      That said, be happy there is any info at all. Any information therein is purely an accident and imperfect profit optimization. ;)
      Competitors like BuzzFeed will out-compete them with empty buzz "news" soon enough.

  • WTF us "a use-aster-free bug"?

    Do they mean "use after free"?

    • Yup -they do.
    • "aster-free" means it doesn't use star-like characters such as "*". This is obviously a bug for password entry fields. They worked around this problem by displaying the word "hunter2" whenever a password is being typed.
  • Use-after-free is something that, for example, Valgrind reliably finds with good test cases. It can also in many case be avoided by simply zeroing memory after it is freed and causing non-exploitable crashes this way. Look to me like Google is doing things on the cheap here.

    • Just out of interest, have you any experience of doing what you are suggesting, you know, writing 'good tests' which help identify *all* of the exploitable problems in a code base? Not catching some of them, no, you need to catch all of them...

      I think you are over-simplifying the challenge if you honestly think it's a case of just writing 'good' tests...

      • When there is a simple test that can find a specific problem, the fact that not all problems can be found with it, is irrelevant.
      • by gweihir ( 88907 )

        You think wrongly. And yes, I have a few decades of experience in this space. I also did never imply that writing good test cases was easy, that was all your doing. And I never said anything about "all" exploitable code problems, that was you again. I was specifically talking about use-after-free and why its presence in some code is not a good sign.

        I have no idea how you arrived at the mess of a response you gave, but apparently you are not a rigorous thinker.

    • Use-after-free is something that, for example, Valgrind reliably finds with good test cases. It can also in many case be avoided by simply zeroing memory after it is freed and causing non-exploitable crashes this way. Look to me like Google is doing things on the cheap here.

      Chrome testing uses ASAN [github.com] builds (as do basically all Google products written in unsafe languages), so it must be that this UAF bug only appears on a rarely-used codepath. The test suite has very good coverage [googlesource.com] and chrome also has fairly good fuzzing coverage [appspot.com] but apparently both missed this case.

      • The test suite has very good coverage [googlesource.com]

        I think the numbers in that link are just an example; I mistook them for the current actual values. I'm not sure where to find the current values short of building and running Chromium and the test suite myself, so I don't know what they are. It's possible they aren't as good as those sample numbers.

  • Google disclosed Chrome ^_^
  • People bitch about "fractioning" e.g. of Linux, like having choice and adapting to individual needs is a bad thing.

    This is what will get them.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...