Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affects versions of Chrome running on the Windows, macOS and Linux platforms.
The zero-day vulnerability, tracked as CVE-2020-6418, is a type of confusion bug and has a severity rating of high. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122. The bug is tied to Chrome's open-source JavaScript and Web Assembly engine, called V8.
Technical details of CVE-2020-6418 are being withheld pending patch deployment to a majority of affected versions of the Chrome browser, according to Google. Generally speaking, memory corruption vulnerabilities occur when memory is altered without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.
[...] Credited for finding the bug is Google's Threat Analysis Group and researcher Clément Lecigne.
Google is also warning users of two additional high-severity vulnerabilities. One, tracked as CVE-2020-6407, is an "out of bounds memory access in streams" bug. The other bug, which does not have a CVE assignment, is a flaw tied to an integer overflow in ICU, a flaw commonly associated with triggering a denial of service and possibly to code execution.
Mitigation includes Windows, Linux, and macOS users download and install the latest version of Chrome.
-- submitted from IRC
(Score: 4, Interesting) by barbara hudson on Wednesday February 26 2020, @05:24AM (5 children)
Google will still abuse their near-monopoly . A better fix is to just delete Chrome. Come on, you know part of you wants to not be evil. :-)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 4, Interesting) by black6host on Wednesday February 26 2020, @05:29AM (2 children)
My mother, the librarian you do want to send phishing emails to, doesn't know that such exploits exist, or that they have been acknowledged by Google, or that there is a new version for her to download, or even how to do so. I'm afraid that she, like many, are flying in the dark, so to speak. I'm sure an upgrade will come her way eventually, after she clicks on the latest "download now" button that she can find. Whether or not that is the right button to click on is unbeknownst to me, her or most.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 26 2020, @09:16PM (1 child)
But nevertheless you just justified the entire reason why the companies want to be able to require you to upgrade their software or it will stop working and you have no choice in the matter. If it is a "this product does not work anymore until you press upgrade," then most people will press upgrade. Hopefully the malware writers' ability to fake that process (or fake it well enough to fool a larger amount of people) is blunted somehow. From the corporate point of view they would rather have 5% bite on fake warnings and innoculate 95% than allow 15% of people to get infected in the wild with no upgrades.
And I'm a big fan of allowing user choice to run insecurely if that is the user's choice (especially for low-security systems that don't do much of consequence but must have 100% uptime for the stupid shit they do....) But I can see why a company interested in protecting it's brand wants to get as patriarchal as the users will allow.
(Score: 2) by barbara hudson on Wednesday February 26 2020, @10:07PM
What company is "protecting their brand" by lying about certs being expired this time? This whole exercise is stupid.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Wednesday February 26 2020, @11:56AM (1 child)
An iOS user complaining about web browser monopoly!
You first, delete Safari from your iPhone.
(Score: 2) by barbara hudson on Wednesday February 26 2020, @10:11PM
Why - mine works. Crappily, but it works.
Same as Firefox and links work on my laptop.
Lynx not so much.
And no, I don't have any Google products installed anywhere, and I don't use any google services anywhere. They're on my shitlist, along with Facebook and Twitter. The three are spyware, and bot h Facebook and Twitter ban people with low vision attempting to access their site using links in violation of the law.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.