Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft Operating Systems

Microsoft Finds Critical Hole In ChromeOS (theregister.com) 31

joshuark writes: Microsoft has found a bug in ChromeOS and given it a high vulnerability 9.8 out of 10. The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022. This is a reversal in that Google usually finds security bugs in software from Microsoft and other vendors after typically 90 days -- even if a patch had not been released -- in the interest of forcing companies to respond to security flaws more quickly. [...] The ChromeOS memory corruption vulnerability -- CVE-2022-2587 -- was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.
This discussion has been archived. No new comments can be posted.

Microsoft Finds Critical Hole In ChromeOS

Comments Filter:
  • by syn3rg ( 530741 ) on Tuesday August 23, 2022 @12:27PM (#62814781) Homepage
    They helpfully turn to Chrome OS.
    • by rossdee ( 243626 )

      Yeah, there is a phrase, remove the beam from thine own eye before you remove the mote in gods eye

      or something like that

      • by shanen ( 462549 ) on Tuesday August 23, 2022 @12:56PM (#62814873) Homepage Journal

        Maybe they perceive ChromeOS as a competitive threat? (My initial reaction to the story.) One of my friends is sort of on the education side, and it seems like there's a pretty big battle going on between Microsoft's funky little computers and the Chromebooks. But I can remember when the schools were in Apple's territory (but my fuzzy impression now is that Apple has mostly overpriced themselves down to the richest schools).

        Having said that, I can't see why MS would be worried about ChromeOS. I bought a Chromebook some months ago and have pretty much given up trying to find anything that it is the best tool for. I still use it for various minor tasks, and I like the portability, but it doesn't seem to do anything well. However I'm not sure if I should blame the OS or Lenovo.

        So does anyone have any practical advice about how to configure a Duet as an Android tablet? When I had one of those it was pretty good for language study games. The smartphone screens are too small to stare it for a long time.

        • Maybe they perceive ChromeOS as a competitive threat?

          Google seems to use Project Zero as a PR tool, so it's not surprising Microsoft would do the same when it has a chance. The end result is more secure software, which is the main thing.

          • by shanen ( 462549 )

            More secure software? Have you looked around lately? Or even worse, have you tried to look deeply INTO (the eyes of) any of your apps these years?

            Or maybe you're going for funny again? If so, congratulations of the subtle humor.

            • by _merlin ( 160982 )

              The software is more secure if MS and Google hunt bugs in each others' products than if they weren't to do that. That doesn't mean it's any more or less secure than some arbitrary standard.

              • by shanen ( 462549 )

                I keep feeling like my main point is being ignored for the convenience of the reply. Maybe I should have backed all the way up to the question of liability.

                Or maybe I blame Microsoft too much for breaking the link between bad software and liability for the harms thereof? Would you agree that we would have extremely different software if the people who profited from selling it had to pay for the damages?

                • by _merlin ( 160982 )

                  Oh, I do think the current state of software is abysmal. I hate the whole "release broken, patch later" attitude. And then you don't want to update because you know it's going to break something else. Yes, I do think it would be a good thing if software vendors could be held to account for releasing software that isn't fit for purpose, or causing damage through negligence. Referring to most programmers as "software engineers" is an insult to engineers who have to design things that actually need work an

        • by tlhIngan ( 30335 )

          Or they want ChromeOS to succeed as well.

          You forget that Microsoft today is about services. ChromeOS is part of that plan, being able to participate in the Office365 ecosystem.

          While they'd love if you'd used Windows and Office, they won't be terribly upset if you use Office365 instead.

          I'm sure during testing of Office365 on ChromeOS they found an odd thing they needed to report. After all, it affects them indirectly as well.

          • by shanen ( 462549 )

            Let Microsoft (or the google) stick a hand in my wallet? No thanks. It would only mean closely watching my wallet 365 days a year.

            But I don't really buy the premise of your argument. When a company has become that dominant, there is not much room for honest growth of profit, but the problematic demand for larger profits is never satiated.

      • The bug fixing department at Microsoft must be enormous, given the hundreds of millions they've produced over the years. Maybe they're a bit under utilised now IE's gone, so they've got time to look at other people's stuff.

    • Re: (Score:3, Interesting)

      Comment removed based on user account deletion
    • Data point: While working for Microsoft at one of our enterprise customers I regularly helped that customer with their Chromebooks.

      Did we compete for the Chromebook business? Oh yes, absolutely. That said, once the kit was in place we worked with them to give their users a good experience.

      This is not Steve Balmer's Microsoft.

  • Yes, strcpy, which is a dangerous function.

    The horror, won't someone think about the softwarze?

  • Updates (Score:4, Insightful)

    by Dwedit ( 232252 ) on Tuesday August 23, 2022 @12:45PM (#62814839) Homepage

    Now let's thank Google for continuing to provide browser updates for all Chrome OS devices regardless of age. Oh wait...

    • Oh, yeah, if you have an old PC Google now has a ChromeOS you can install on it.

      Unless it's a Chromebook.

      • by tudza ( 842161 )
        I installed ChromeOS Flex on a Chromebook that was no longer getting updates. Worked fine. Xubuntu worked a little better.
  • I like C++ because it lets me do what I want. If I want a copy without checking bounds because I know what the bounds are, it lets me do it. So one may say that C++ is a dangerous language. But it is people that are dangerous.
  • Microsoft found a bug!

    We should encourage them in their endeavors. Then maybe they will start looking for bugs in Windows...

  • Interestingly, this looks like ChromeOS's replacement for pulseaudio.
  • Google fixed things promptly, while MS sometimes does not have a fix out after 90 days. What is supposed to be reversed in this case?

  • OMG, next thing you know they used memcpy too!

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...