Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Chrome Security

U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed (forbes.com) 54

Posted by EditorDavid from the urgent-updates dept.
Part of America's Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) "has advised users to update Google Chrome as new high-rated security vulnerabilities have been found," reports Forbes: In an April 1 posting, CISA confirmed that Google Chrome version 80.0.3987.162 "addresses vulnerabilities that an attacker could exploit to take control of an affected system," be that Windows, Mac or Linux. It went on to state that it "encourages" users and administrators to apply the update. It's not just CISA that is warning about the need to update Google Chrome. The Center for Internet Security (CIS) is a non-profit entity that works to safeguard both private and public organizations against cyber threats. In a multi-state information sharing and analysis center (MS-ISAC) advisory, it has also warned of multiple vulnerabilities in Google Chrome.

The most severe of these could allow an attacker to achieve arbitrary code execution within the context of the browser... All it would take for an attacker to exploit the vulnerabilities is to get the user to visit, by way of a phishing attack or even redirection from a compromised site, a maliciously crafted web page.
Beside three high-rated vulnerabilities, Forbes reports that "a further five security vulnerabilities were discovered by the Google internal security team using a combination of internal audits and fuzzing."
This discussion has been archived. No new comments can be posted.

U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed More

U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed

Comments Filter:

  • Chrome? Who uses that? (Score:3, Interesting)

    by NewtonsLaw ( 409638 ) on Saturday April 04, 2020 @06:47PM (#59908902)

    I started with Netscape Navigator 1.0 (way back in the day) and I've stuck with it all the way through to the latest version of Firefox.

    Yeah, it got really bad for a while but I dodged all the Internet Explorer crap and now I'm dodging the Chrome crap.

    Firefox is far from perfect but it works for me.

    • Re:Chrome? Who uses that? (Score:5, Insightful)

      by williamyf ( 227051 ) on Saturday April 04, 2020 @06:54PM (#59908920)

      Lucky you, but a big percentage of users, both PC (desktop/lptop) and mobile (celphone/tablet) use chrome. Meanwhile, firefox (ESR, which is what I use both in my mac and in my phone) is used by a rather minuscule % of the users.

      So, is quite important for chrome to fix those security vulnerabilities. And is not like firefox is hack-proof. It has had its fair share of security vulnerabilities... so....

      • Re:Chrome? Who uses that? (Score:4, Insightful)

        by markdavis ( 642305 ) on Saturday April 04, 2020 @10:30PM (#59909280)

        >"Lucky you, but a big percentage of users, both PC (desktop/lptop) and mobile (celphone/tablet) use chrome. Meanwhile, firefox (ESR, which is what I use both in my mac and in my phone) is used by a rather minuscule % of the users."

        And thus, the extreme danger of a browser monoculture; one of many, actually. It is up to geeks like us to encourage existence and use of alternatives. And since many bugs could be in the core, and almost all browsers now are actually just Chrome-in-disguise, Firefox is about the only alternative left.

    • Re: (Score:1)

      by AHuxley ( 892839 )
      The people with ads to sell like browsers that support ads.
    • Comment removed based on user account deletion

    • Re: (Score:2)

      by antdude ( 79039 )

      For me, I still use a suite product called SeaMonkey [seamonkey-project.org] based on old Netscape's products like Commuicator.

    • More than half of all people browsing the internet. Congratulations on being different though.

    • I started with Netscape Navigator 1.0 (way back in the day) and I've stuck with it all the way through to the latest version of Firefox.

      Johnny-come-lately. I started GUI web browsing with Mosaic and before that I used Lynx. and before that I used Gopher, although it wasn't technically a "web" browser.

    • I dodged all the Internet Explorer crap and now I'm dodging the Chrome crap.

      Soooo, just a couple of days later, mozilla plugs two holes too. with the corresponding CISA advisory. soooo... all browsers have holes....

      https://www.theregister.co.uk/... [theregister.co.uk]

  • The article cited gives a version of "80.0.3987.162"

    I just updated and I'm being shown "80.0.3987.163"

  • Where in the Constitution does it say the Federal government can tell us which browser to use?

    • Well, you have the 2nd amendment right to bear arms (because guns solve everything - and overthrowing a first world government with armed militia is very relevant and appropriate in the 21st century). Take out the head of the federal government and tell the government and the people to use lynx. It's free!

      Some Australian sarcasm for you...

    • Where in the Constitution does it say the Federal government can tell us which browser to use?

      They're just saying that the previous version broke something they needed to spy on us. Version 80 re-fixes that. Nothing to see here, upgrade and move along ... /tin-foil-hat

  • Figures (Score:1, Offtopic)

    by phantomfive ( 622387 )
    The US government finally figured out how China stole the bat virus from their lab. Of course, both of them stole it from my secret lab in Antarctica I swear I'll never run a reactor on Windows2000 again it's just a recipe for disaster.

  • Js (Score:4, Insightful)

    by funky_vibes ( 664942 ) on Saturday April 04, 2020 @07:03PM (#59908956) Homepage

    The glaring concern is that javascript is still active by default.

    • The glaring concern is that javascript is still active by default.

      Hardly. Most Javascript is benign, and the remainder only affects people's privacy. And the last person who cared about that told me so on Facebook.

      • You must be joking, JS is the biggest mistake of the whole internet. Computers are being taken over fully via general JS exploits nowadays and there's nothing to stop it from happening, since the problems are conceptually inherent. People are losing their life savings and getting scammed. You can no longer trust any computer that has been used with a browser and it's all because of JS.

        Security 101: You lose as soon as you run untrusted code.
        This hasn't changed just because someone lied to you about being ab

  • is that more like the NSA or GCHQ?

  • Which cripling bugs introduced in the new version? (Score:5, Insightful)

    by WoodstockJeff ( 568111 ) on Saturday April 04, 2020 @08:08PM (#59909078) Homepage

    The problem with updating nowadays is that it really doesn't reduce the number of dangerous bugs, since none of the vendors can manage to avoid introducing new, under-tested "features" with each bug fix release.

    When were this particular vulnerabilities put in the code base? Why was the code they were in introduced into Chrome? Was that code to fix something, or to add something?

    • Re: (Score:2)

      by micheas ( 231635 )
      It doesn't really matter. Chrome self-updates.

    • The problem with updating nowadays is that it really doesn't reduce the number of dangerous bugs, since none of the vendors can manage to avoid introducing new, under-tested "features" with each bug fix release.

      If you used Firefox ESR like me, you would get a full year of security patches, but no upgrades or new features. Is better than most browsers in that regard

  • Every damn update, they f*ck up something around the address bar.

    • Re: (Score:2)

      by Twinbee ( 767046 )
      In the Chrome shortcut's Properties->Shortcut->Target field, I have edited to:

      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-features=OmniboxUIExperimentHideSteadyStateUrlScheme,OmniboxUIExperimentHideSteadyStateUrlTrivialSubdomains

      And the URL appears in full ALWAYS instead of being truncated depending on context.

      You're welcome.
      • You might want to add this parameter for security as well;

        --js-flags=--noexpose_wasm

        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --js-flags=--noexpose_wasm --disable-features=OmniboxUIExperimentHideSteadyStateUrlScheme,OmniboxUIExperimentHideSteadyStateUrlTrivialSubdomains
  • I have never liked Chrome from the start. Don't like the set-up, been a memory hog and sends too much info back to company. I don't use it !

  • ...or switch to Firefox? (Score:3)

    by crazy blade ( 519548 ) on Sunday April 05, 2020 @09:48AM (#59910196)

    Why not just add some other options in a national advisory? And not just firefox, any alternative that does not have glaring security holes would do.

  • I generally use Firefox but I do keep Chromium (not Chrome) around for Google stuff: gmail, youtube, etc...

    I'm going to assume that Chromium is affected as well, but would be nice to know for sure...

  • How does one even update Chrome? It updates itself. Is this really telling people to update Chrome or is telling type A control freaks to stop disabling automatic updates?

    • Use the 3dot menu in the upper right, and go to Help->About Google Chrome.

      It will immediately do an update check and begin the self update if one is available. Otherwise it will tell you its up to date.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close