U.S. Government: Update Chrome 80 Now, Multiple Security Concerns Confirmed (forbes.com) 49
Part of America's Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) "has advised users to update Google Chrome as new high-rated security vulnerabilities have been found," reports Forbes: In an April 1 posting, CISA confirmed that Google Chrome version 80.0.3987.162 "addresses vulnerabilities that an attacker could exploit to take control of an affected system," be that Windows, Mac or Linux. It went on to state that it "encourages" users and administrators to apply the update. It's not just CISA that is warning about the need to update Google Chrome. The Center for Internet Security (CIS) is a non-profit entity that works to safeguard both private and public organizations against cyber threats. In a multi-state information sharing and analysis center (MS-ISAC) advisory, it has also warned of multiple vulnerabilities in Google Chrome.
The most severe of these could allow an attacker to achieve arbitrary code execution within the context of the browser... All it would take for an attacker to exploit the vulnerabilities is to get the user to visit, by way of a phishing attack or even redirection from a compromised site, a maliciously crafted web page.
Beside three high-rated vulnerabilities, Forbes reports that "a further five security vulnerabilities were discovered by the Google internal security team using a combination of internal audits and fuzzing."
Most browsers tend to be forks of (or at least use) Chromium's library, Gecko, Trident or Webkit. I wouldn't consider changing the front end to those rendering engines to be much of a polyculture.
And good luck writing a custom one, it's pretty monumental.
Trident? It's dead, Jim. And Blink (Chrome,Chromium,Edge,Brave,Opera) is a fork of WebKit, so might have a lot of bugs in common. There's really just two modern, independent implementations left.
>"There's really just two modern, independent implementations left [of webkit]."
There are really only two, modern, multiplatform, open source browsers left at all: Chrom* and Firefox. Google has "infected" just about every browser in use that isn't Firefox. That is what is scary. Very scary. In addition to a HUGE threat to privacy and open standards, It is a security nightmare timebomb ticking away....
Funny how that was what everyone said about Internet Explorer, 15 years ago, and Sir Googlehad on his chrome horse was coming to save the world. As they say, power corrupts.
> "There's really just two modern, independent implementations left [of webkit]"
No, that's not what I wrote so stop rewriting it... the OP listed four, I said Trident is dead and "Chromium's library" and WebKit are really the same. That leaves two, Gecko and whatever you'd like to call the other one.
No, that's not what I wrote so stop rewriting it...
Sorry, didn't mean to put words in your mouth. The brackets are meant to clarify what I thought, not what you wrote. Thanks for clarifying that I misread. I should have put the ending quotation mark before the first bracket.
Unfortunately, there are a few websites that work only with Chrome.
I use Firefox for almost all of my web browsing needs, but there are some websites that just don't work with anything but Chrome. So I reluctantly load Chrome on the occasions that I need to access those sites. (One of them is the site that I use to order some supplies for my business, so it's not like I have much of an option there.)
Vivaldi/Opera is also based on Chromium. The only different renderers are the Firefox-based browser lines.
Second, if you're the customer, you get to voice your unhappiness. They may not do anything, but not voicing it will certainly not bring about change, and sometimes it's just laziness that leads to the wording "only for Chrome"...
In one case of a site that doesn't work with Firefox, it's the ordering site for Pepsi where I go to order cases of soda pop and water and such. The site belongs to Pepsi itself, not a third-party dealer, so I assume everyone in North America orders from that site.
To log into it you need to click on "log in" and a box pops up to enter your username and password. That box will not, under any circumstances, pop up when you click "log in" on Firefox. Nothing happens at all. With Chrome, it just works.
I started with Netscape Navigator 1.0 (way back in the day) and I've stuck with it all the way through to the latest version of Firefox.
Yeah, it got really bad for a while but I dodged all the Internet Explorer crap and now I'm dodging the Chrome crap.
Firefox is far from perfect but it works for me.
Lucky you, but a big percentage of users, both PC (desktop/lptop) and mobile (celphone/tablet) use chrome. Meanwhile, firefox (ESR, which is what I use both in my mac and in my phone) is used by a rather minuscule % of the users.
So, is quite important for chrome to fix those security vulnerabilities. And is not like firefox is hack-proof. It has had its fair share of security vulnerabilities... so....
>"Lucky you, but a big percentage of users, both PC (desktop/lptop) and mobile (celphone/tablet) use chrome. Meanwhile, firefox (ESR, which is what I use both in my mac and in my phone) is used by a rather minuscule % of the users."
And thus, the extreme danger of a browser monoculture; one of many, actually. It is up to geeks like us to encourage existence and use of alternatives. And since many bugs could be in the core, and almost all browsers now are actually just Chrome-in-disguise, Firefox is about the only alternative left.
For me, I still use a suite product called SeaMonkey [seamonkey-project.org] based on old Netscape's products like Commuicator.
More than half of all people browsing the internet. Congratulations on being different though.
Johnny-come-lately. I started GUI web browsing with Mosaic and before that I used Lynx. and before that I used Gopher, although it wasn't technically a "web" browser.
The article cited gives a version of "80.0.3987.162"
I just updated and I'm being shown "80.0.3987.163"
Where in the Constitution does it say the Federal government can tell us which browser to use?
Well, you have the 2nd amendment right to bear arms (because guns solve everything - and overthrowing a first world government with armed militia is very relevant and appropriate in the 21st century). Take out the head of the federal government and tell the government and the people to use lynx. It's free!
Some Australian sarcasm for you...
Where in the Constitution does it say the Federal government can tell us which browser to use?
They're just saying that the previous version broke something they needed to spy on us. Version 80 re-fixes that. Nothing to see here, upgrade and move along
... /tin-foil-hat
The glaring concern is that javascript is still active by default.
The glaring concern is that javascript is still active by default.
Hardly. Most Javascript is benign, and the remainder only affects people's privacy. And the last person who cared about that told me so on Facebook.
The problem with updating nowadays is that it really doesn't reduce the number of dangerous bugs, since none of the vendors can manage to avoid introducing new, under-tested "features" with each bug fix release.
When were this particular vulnerabilities put in the code base? Why was the code they were in introduced into Chrome? Was that code to fix something, or to add something?
Every damn update, they f*ck up something around the address bar.
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --disable-features=OmniboxUIExperimentHideSteadyStateUrlScheme,OmniboxUIExperimentHideSteadyStateUrlTrivialSubdomains
And the URL appears in full ALWAYS instead of being truncated depending on context.
You're welcome.
--js-flags=--noexpose_wasm
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --js-flags=--noexpose_wasm --disable-features=OmniboxUIExperimentHideSteadyStateUrlScheme,OmniboxUIExperimentHideSteadyStateUrlTrivialSubdomains
Why not just add some other options in a national advisory? And not just firefox, any alternative that does not have glaring security holes would do.
I generally use Firefox but I do keep Chromium (not Chrome) around for Google stuff: gmail, youtube, etc...
I'm going to assume that Chromium is affected as well, but would be nice to know for sure...
How does one even update Chrome? It updates itself. Is this really telling people to update Chrome or is telling type A control freaks to stop disabling automatic updates?
Use the 3dot menu in the upper right, and go to Help->About Google Chrome.
It will immediately do an update check and begin the self update if one is available. Otherwise it will tell you its up to date.