Google is Rolling Out Chrome 102 with 32 Security Fixes, One Critical (zdnet.com) 10
This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet:
Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...
The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.
Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.
The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.
Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.
Re: (Score:1)
I'd be happy if they could stop the random surges in CPU usage. It's so bad sometimes even with just a single tab open but idle on, youtube or google news, my CPU is ramping up to 25% usage but fan is racing while CPU temperature climbs to 90 degrees.
Opening the same page in Edge doesn't seem to have the same cpu usage though, but I hate using it because all my randomly generated passwords for various websites are in Chrome.
Re: 102 releases (Score:2)
"None of the flaws (...) were zero days" (Score:1)
> None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.
This statement is not true. Axiomatically, all vulnerabilities are initially 0-days before they get discovered. The fact that no one observered them being exploited in the open doesn't prove in any way that they were not known about and exploited by any malicious actors.
Can we just have these guys shot? (Score:4, Insightful)
>The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB'
How the hell can you call yourself a programmer if you're spawning these obvious and readily detected bugs? If you're not competent to do it, your compiler or IDE should notify you very firmly. If you're not qualified to write C code, perhaps you should be writing in BASIC, although I understand that there are more modern languages that prevent the incompetent from using pointers.
Re: (Score:3)
If you're not qualified to write C code
Well, it's C++, not C.
How the hell can you call yourself a programmer if you're spawning these obvious and readily detected bugs?
UAF bugs like this are actually really common. They're also notoriously difficult to detect. This is not a solved problem. There's a lot of research right now that deals with finding UAF bugs via static analysis for a reason. They're easier to detect at runtime, which is what tools like AddressSanitizer do.
Speaking of, yes, there are tools to help you detect these but, like humans, they're not perfect. I would assume that using AddressSanitizer is standard operating procedure at Go
Re: (Score:2)
Why does the current generation believe that compilers are magical? Neither your compiler nor your IDE are going to catch UAF bugs. If you think your code is safe because Visual Studio doesn't complain, you should probably stop calling other developers "incompetent".
I am not exactly the current generation, and I know to check when a pointer is NULL, which it is definitely going to be when I've deallocated memory. I don't rely on the compiler being magical, although I sure would have enjoyed the brutality
And new features I bet. (Score:2)
I wished companies would stop adding new features and just fix issues.
Rolling out? (Score:1)
Chrome 1. 0. 2 if you measure in Mozilla years.