Google Chrome Hit In Another Mysterious Zero-Day Attack (securityweek.com) 62
wiredmikey shares a report from SecurityWeek: Google late Tuesday shipped another urgent security patch for its dominant Chrome browser and warned that attackers are exploiting one of the zero-days in active attacks. This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC data or any meaningful information about the attacks continue to raise eyebrows among security experts.
The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.
The newest Chrome update -- 90.0.4430.85 -- is available for Windows, Mac and Linux users and is being rolled out via the browser's automatic update mechanism. The vulnerability being exploited is identified as CVE-2021-21224 and simply described as a "type confusion" in the V8 Chrome rendering engine. Google credited the Jose Martinez (tr0y4) from VerSprite Inc. for reporting the vulnerability. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," the company said, with no additional details.
Yay monoculture (Score:1)
I assume that other browsers based on the same rendering engine, such as Edge, are also vulnerable.
Re:Yay monoculture (Score:4, Informative)
Poorly written summary - it's not the 'rendering engine'. It's the scripting interpreter, V8.
But yes, I'm not aware Microsoft are still developing Chakra.
âoetype confusionâ sounds like an unsafe cast.
Re: Yay monoculture (Score:2)
You already said that, when you said JavaScript. ;)
(Oh yeah, learn to do proper quotes! ;)
Re: (Score:2)
Re: (Score:3)
Re: Yay monoculture (Score:2)
I think you meant "Bruise Gender"
Re: Yay monoculture (Score:1)
Careful, the IETF might start demanding people call them "mismatched-but-not-inferior ambiguities"
So all Node.JS, Unity Games, etc. as well? (Score:3)
Re: (Score:3)
The difference is that the browser runs arbitrary code fed to it from random and potentially untrusted websites, whereas node.js and unity run specific code placed there by the game developer or server operator, so the risk profile is entirely different.
Re: (Score:1)
Re: (Score:2)
The consequences of making html5 too complex (Score:2, Insightful)
It gets worse because the auto update function in browser malfunctions a lot. If you look at the csv data on statcounter you can see a large amount of browsers stuck on old versions, as much as 15% of browsers are stuck this way.
Most
Re: The consequences of making html5 too complex (Score:4, Funny)
They are not web browsers anymore. They are just "reinventing the OS in a VM, badly".. :)
I always said somebody needs to turn VirtualBox or something into a browser. Give it a URL bar, to download your web app in a small disk image with some metadata file linking to a OS image ULI/URL. The VM downloads the OS image if it isn't locally available, and that image has a snapshot. Then the VM copy-on-write-clones the snapshot to RAM, and uses the OS disk image in a unionfs with a writable image. Now it resumes the snapshot, mounts the webapp disk image, and starts the application in it in full screen. With everything cached this would be as fast as a normal website. The webapp could also reference other files and mount points for them.
And as a last step, allow those apps to have clickable links. And to let others link to parts of it. (Optional, but highly recommended.)
For legacy compatibility, a OS disk image for a HTML5 environment is always available.
There, you ca kill all browsers now. And end this inner-platform effect charade.
Re: (Score:2)
Might want to look at Quebos system, they are doing something like that already.
Re: The consequences of making html5 too complex (Score:2)
I did.
Oh boy... They doing *exactly* the most wrong thing possible ... as *is* the style of this generation, admittedly. ;)
A VM is not a security soution.
It is still a extremely complex and large API between the virtual hardware and the software inside. Just the x86 instruction set alone is enough to statistcally guarantee exploitable bugs.
My suggestion was the exact opposite: It deliberately does not deal with security *at all*. That is s separatr aspect for a separate piece of software that does that one
Update: (Score:2)
Update: I wrote the http/VM glue code yesterday.
It's not efficient yet since qemu makes hot swapping drives and live snapshots unnecessarily hard and limited, but it works.
Next up: Basic ability to click on links and get programs to react to URL anchors, a la Android "intents"...
Re: The consequences of making html5 too complex (Score:3)
No, actually, Google just wanted to kill competitors. It was never about the features. We already had those. It's called an OS.
Re: (Score:2)
You seem to be inventing “facts” to suit your predetermined narrative.
For instance, what does any of this have to do with HTML5? V8 is Chrome’s JavaScript engine [wikipedia.org]. This same bug could have presumably happened with any previous version of HTML. Calling out of HTML5 in particular makes it seem as if you have an axe to grind.
Likewise, Windows 98 debuted a few years after Microsoft had already adopted HTML and JavaScript, so your implication that these technologies were created because we wante
Re: (Score:2)
Well, HTML5 is a bit complex, but it's one of those necessary complexities. I mean, it really boils down back to the App vs. Web debate. Do you want to force everyone to watch Netflix using an app? Or to compartmentalize the internet into a series of apps? Or do you want it to be (somewhat*) open in that anyone with a web browser can access useful information, rather than the browser serving as a launch point to install and run a
Re: (Score:2)
Game consoles stopped including browsers because they made it too easy to pirate games with them.
Uhh, that doesn't sound right, the PS3 and PS4 had browsers, not sure about the 5, the XBox 360 had IE... do you have any reference to back this up? Genuinely curious here, I've never heard that claim before.
Re: (Score:2)
Key word "had".
Chrome No thanks (Score:1)
Re: (Score:1)
We don't have these problems with Lynx!
Re: Chrome No thanks (Score:2)
I don't have this problem with piping Ethernet frames to my blinkenlight!
Re: (Score:1)
Re: (Score:2)
Don't worry. Firefox will eventually include the same bugs as Chrome.
Very sensationalist headline (Score:2, Informative)
Mysterious zero-day, which is simiply not true as there is a patch
Re: Very sensationalist headline (Score:5, Informative)
Zero-day means "on the day of release".
This implies it was exploited since day zero.
Certainly, the patch didn't come out at the day of release.
A patch doesn't go back in time and make it not exploited on day zero. It just stops is from the day you actually install the patch. (IFF it works. MS taught us it can also make it worse.)
Who pays for these security researches ? (Score:2)
Re: (Score:3)
It appears to be a complex market full with brokers and even published prices. Linking to https://yro.slashdot.org/story/20/04/15/2129249/hackers-are-selling-a-critical-zoom-zero-day-exploit-for-500000 [slashdot.org] just as one data point but a simple google search reveals tons of sites and prices.
If you mean how white hats learn about these: many companies (I think Google included) even have rewards for that (it's after all finding bugs in their software), plus they have tons of programmers (just because it's their trad
Re: (Score:2)
That doesnt add up. Just think maybe 1 in 100 researches actually finds something . The other 99 could spend months and in the end get nothing.
Re: (Score:2)
Obviously these 99 (and probably the 100th one too) don't rely on getting a reward for a living if that's what you are getting at.
Re: (Score:1)
Re: (Score:1)
Re: Who pays for these security researches ? (Score:2)
Not everyone needs to be paid to do a task if they find it fun. A lot of people see exploit hunting the same way other people might see doing a crossword puzzle, mountain climbing, or playing a PC game all day. It is fun to randomly go through bits of code and see what it does, how it works, and check for exploitability. There are so many tutorials and puzzles to teach and challenge you when it comes to looking for exploits.
Re: (Score:2)
Thats all true but to find exploits you require time, considerable time. We are talking testing this and that on a daily basis. You dont just find an exploit after spending an evening or two. New releases of C come out all the time, which again means you need to recheck etc all the time.
This i
Welcome to your monoculture. (Score:2)
Chrome is the new Windows.
That's what you get for adding an endless stream of useless kitchen sinks just to kill all the competitors. Now they're not so usless anymore! ;)
Re: (Score:2)
Re: (Score:2)
I'm curious to know what Browser/OS you use that has never had a Zero-Day in its existence.
yeah, even Lynx had a few serious bugs. I don't know if any were ever exploited.
Re: (Score:2)
Chrome is the new Windows.
That's what you get for adding an endless stream of useless kitchen sinks just to kill all the competitors. Now they're not so usless anymore! ;)
Feel free to develop an alternative. We're waiting
When you try and do all this happens. (Score:1)
Re: (Score:2)
You do know that the core code of Chrome, Chromium, is open-source? And you do know that the V8 engine, where this bug exists, is also open-source? Heck, things like the Unity game engine and Node.JS use the opensource V8 to build off of.
Re: When you try and do all this happens. (Score:1)
Re: (Score:2)
Chrome is smaller than Linux.
Re: When you try and do all this happens. (Score:1)
Re: (Score:2)
I mean, Edge, Brave, Opera, Amazon Silk, and the Yandex company (among others) manage to do it. It's complex. But who then again most users of Linux just choose a distribution and go with it.
Re: When you try and do all this happens. (Score:1)
Re:When you try and do all this happens. (Score:5, Insightful)
What would be beneficial, is diversity in the market again.
When we had a split of marketshare between chrome/ie/firefox, browser exploits went down and attackers started targeting plugins like flash and java instead. They targeted these plugins because they were ubiquitous, you could write a single exploit to target all users with flash or you'd need to find several different exploits to target the various different browsers people were using.
Now that chrome has become the dominant browser, it's now become the prime target.
Re: When you try and do all this happens. (Score:1)
And yet still no updates for Mint (Score:2)
Latest version of Chromium available for Mint 20.1 remains at 89.0.4389.114.
The Jose Martinez? (Score:2)
heyy (Score:1)
butbutbut The Sandbox! (Score:2)
Chrome is superior to all others because it has a security sandbox. That's what they've always told us.
These are not the zero-days you're looking for...
OpenBSD pledge Chrome (Score:3)
I wonder if OpenBSD's hardened Chrome [undeadly.org] is vulnerable to these exploits.
OpenBSD's kernel is configured to kill any Chrome process that violates behavior prohibited by pledge().
Re: (Score:1)
dfsfsdfs (Score:1)