Stories
Slash Boxes
Comments

SoylentNews is people

Google Patches Chrome Browser Zero-Day Bug, Under Attack

posted by martyb on Wednesday February 26 2020, @05:18AM   Printer-friendly
from the get-those-downloads-going dept.

Arthur T Knackerbracket has found the following story:

Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.

The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome's open-source JavaScript and Web Assembly engine, called V8.

Technical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, according to Google. Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.

[...] Credited for finding the bug is Google's Threat Analysis Group and researcher Clément Lecigne.

Google is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an "out of bounds memory access in streams" bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.

Mitigation includes Windows, Linux, and macOS users download and install the latest version of Chrome.

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Google Patches Chrome Browser Zero-Day Bug, Under Attack | Log In/Create an Account | Top | 6 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday February 26 2020, @09:16PM (1 child)

    by Anonymous Coward on Wednesday February 26 2020, @09:16PM (#963089)

    But nevertheless you just justified the entire reason why the companies want to be able to require you to upgrade their software or it will stop working and you have no choice in the matter. If it is a "this product does not work anymore until you press upgrade," then most people will press upgrade. Hopefully the malware writers' ability to fake that process (or fake it well enough to fool a larger amount of people) is blunted somehow. From the corporate point of view they would rather have 5% bite on fake warnings and innoculate 95% than allow 15% of people to get infected in the wild with no upgrades.

    And I'm a big fan of allowing user choice to run insecurely if that is the user's choice (especially for low-security systems that don't do much of consequence but must have 100% uptime for the stupid shit they do....) But I can see why a company interested in protecting it's brand wants to get as patriarchal as the users will allow.

    Starting Score:    0  points
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Total Score:   1  

  • (Score: 2) by barbara hudson on Wednesday February 26 2020, @10:07PM

    by barbara hudson (6443) <barbara.Jane.hudson@icloud.com> on Wednesday February 26 2020, @10:07PM (#963154) Journal

    But I can see why a company interested in protecting it's brand wants to get as patriarchal as the users will allow.

    What company is "protecting their brand" by lying about certs being expired this time? This whole exercise is stupid.

    --
    SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.