Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day (zdnet.com) 56
Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.
Re: (Score:2)
1990's Internet Explorer, A small light weight browser (Compared to the giant of Netscape Communicator) that supports the standards and renders quickly.
2000's Firefox, A small light weight browser (Compared to Internet Explorer) that is secure, supports the standards and renders quickly.
2010's Chrome, A small light weight browser (Compared to Firefox) that is secure,supports the standards and renders quickly.
It seems that the people want a Secure, Small Light weight browser, that supports the standards and
Re:Browser, everything and the kitchen sink (Score:5, Informative)
Firefox was never about being small and light weight, it was about being able to render websites faster and in a standard compliant way.
I hate to correct you, cause on other points you are right, but no.
Firefox came as spin-off from the Mozilla suite. Mozilla targeted compliant browsing.
Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.
From there it went it's own way exactly as parent poster described.
Re: (Score:2)
Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.
Kind of. Firefox was intended to be much lighter than the Mozilla Suite, true, but remember that the Mozilla Suite was a single application that included NNTP and email clients, a WYSIWYG HTML editor/web site construction tool, an IRC client and more. Oh, and a web browser. Firefox was intended to be lighter not because it was supposed to be some sort of uber-minimal browser, but because it was intended to be only a browser, and not all of those other things. True, it didn't support plugins, but that was
Re: (Score:2)
The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality. But people gave them too many donations so they spent millions of dollars buying pocket and then building it right into the browser instead of making it an add-on. In principle, Firefox makes Mozilla deserving of donations. In practice, if you give them money, they spend it fucking up the browser.
Re: (Score:2)
The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality.
Not initially.
Re: (Score:2)
That was back when it was called Phoenix (which I made my default browser back in the day). Phoenix started losing the plot shortly after the re-branding to Firefox, and Firefox 2.0 was when things really started going downhill.
Re: (Score:2)
Thanks for the correction, you are of course right I completely forgot that Mozilla came in between in the popular browser development.
Re: (Score:1)
No one noticed when SP3 turned XP to shit, so why do you think they would have noticed if a hypothetical SP2 turned 7 to shit?
Re: Browser, everything and the kitchen sink (Score:1)
Because he's a nutbag
Maybe they could also scan to identify (Score:2)
the twitter command and control accounts of botnets/terrorists...
Scanning for vulnerabilities is a start, but eliminating the accounts is probably a whole other kettle of fish.
It happened when Windows 7 is still supported (Score:2)
Re: (Score:1)
microsoft has released out-of-band updates for so-called 'unsupported' and end-of-life versions in the past... but, microsoft should just quit squeezing more money out of windows 7 users (the upcoming penalty for not signing-on to windows 10 and it's extra revenue streams for microsoft) and just extend the support date by the three years that 'paid' updates will be available for... make it and 8.1 the same.... and then FIX the piece of shit that is windows 10 in the next three and a half years... i.e. the
Re: It happened when Windows 7 is still supported (Score:1)
Or just switch to linux mint or mac and be done with microsoft.
Mission Accomplished (Score:2)
If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.
I see Google has successfully managed to get some people to already forget about their own zero-day bug here. You know, the Google bug which gave attackers remote access to the Windows 7 computers in the first place.
The Windows bug was a local privilege escalation attack. It needs to be fixed, but the Google Chrome bug was the bigger issue here.
Re: (Score:2)
Nope, Chrome works fine on our lab's Linux blades
Why would we downgrade them to Windows 10?
Am I the only one who thinks "zero-day" sounds.... (Score:2)
needlessly jargony?
Why not say what it is in plain english... a newly discovered or previously unheard of exploit or vulnerability.
And if it's not that, then it's not zero-day, by definition.
Re: (Score:2)
The problem with "0-day", is, as I said, that it sounds like jargon... like a buzzword that people overuse when they want to invoke an emotional reaction to the concept rather than using regular English words to say the same thing.
Calling it a a newly discovered exploit instead of a 0-day exploit is both more informative by virtue of being in plain English and doesn't come across as trying to push some agenda for software that detects and removes malware.
Re: (Score:2, Insightful)
You are both wrong.
'Zero-Day' describes that the exploit was previously unknown, and that it took zero days for it to be exploited.
Instead of "we found a bug, let's hope it gets patched before someone writes code to exploit it", zero-day describes "OMG what is this code doing!? look it's using a previously unknown bug!"
"Newly discovered" does not adequately describe the situation.
There is clearly etymological room for a different term, even if it does sound like a buzzword.
Re: (Score:2)
It entirely adequately describes it.... "0-day" is just jargon for "new", which by definition means it wasn't around before. It just happens mean it was discovered on the day that the developers knew about the exploit, but if the developers actually already knew about the exploit, then it isn't really new is it?
Worse, "0-day" can suggest to a person unfamiliar with the precise definition that the exploit was discovered less than one day after the relevant software had been most recently updated, which o
Re: (Score:1)
Except an exploit using a bug in the wild isn't new, even if a developer was unaware of it--and it's not even given that such is true, as the bugs might actually be fixed already in the internal branch. There's also the point that it might not be "a" new exploit but a host of them, leveraging one or more bugs--implementation or design ones. Further, an exploit that exists but isn't being actively used isn't 0-day. All the above applies to "previously unknown".
Don't get me wrong: I think 0-day is a prett
Re: (Score:2)
Exactly, so why bother with the jargon? "New" is plain english, 0-day is jargon. It obfuscates what is being talked about and sounds like its trying to grab headlines by using a fancy buzzword.
Re: (Score:2)
Obviously it's 0 days since discovery, because if it was actually discovered before that, then it's not new... it would be a "known exploit" instead of a "new exploit". And how do you figure that "0-day" is shorter than "new"?
By itself, the expression "0-day exploit" on some software X might suggest, following simply an English definition of the words, an exploit that was discovered less than 1 day after the most recent update to software X. That's not what the term actually means, however, and it's
Re: (Score:2)
"New" is plain english... "0-day" is a technical term that has a particular meaning which is not necessarily intuitively grasped from context, and as I have argued, is therefore more ambiguous.
But my opening question has been answered... apparently it is just me.
Re: (Score:2)
No, it has not... it has only been used in the context of exploits since the late 1990's. Go ahead... try and find a single reference to "0-day" used in the context of exploits or hacking before 1998.
Prior to this), the expression was only applied to copyright infringement, and specifically referred to any (pirated) c
Anyone know how to check infection? (Score:2)
So, I've got a Window 10 box, that apparently Chrome can't update itself on, instead giving this message:
https://twitter.com/MrDanack/s... [twitter.com]
Which is obviously not a good sign as blocking the security updates seems like a thing an infection would like to do.
Anyone know of how to tell if a box is actually infected or not?
Re: (Score:1)
It has Windows 10, it is infected. Don't you mean how to tell if there also is a competing product on the box?
Re: (Score:2)
So, I've got a Window 10 box, that apparently Chrome can't update itself on, [...]
Anyone know of how to tell if a box is actually infected or not?
You're running a browser that phones home to Google on a system that phones home to Microsoft. The answer is yes. Your box is actually infected with at least two trojans that you deliberately chose to have it infected with.
why does browser need api to read my files? (Score:1)
what is the use case to have a browser expose some API for random websites to read files on user computer? or what is this API if not that?
Use after free ... of course (Score:2)
People keep telling me tools will help prevent this kind of shit for C(++). Google has fuzzers and memory checker tools out the ass, still these bugs get through.
Re: (Score:2)
use shared_ptr and vectors
C++ does have features to prevent it (Score:2)
If people were to use shared_ptr, vectors and std::string many of these errors could be prevented.