Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Windows Chrome Security

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day (zdnet.com) 56

Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.
This discussion has been archived. No new comments can be posted.

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day

Comments Filter:
  • the twitter command and control accounts of botnets/terrorists...

    Scanning for vulnerabilities is a start, but eliminating the accounts is probably a whole other kettle of fish.

  • If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.
    • by Anonymous Coward

      microsoft has released out-of-band updates for so-called 'unsupported' and end-of-life versions in the past... but, microsoft should just quit squeezing more money out of windows 7 users (the upcoming penalty for not signing-on to windows 10 and it's extra revenue streams for microsoft) and just extend the support date by the three years that 'paid' updates will be available for... make it and 8.1 the same.... and then FIX the piece of shit that is windows 10 in the next three and a half years... i.e. the

    • If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.

      I see Google has successfully managed to get some people to already forget about their own zero-day bug here. You know, the Google bug which gave attackers remote access to the Windows 7 computers in the first place.

      The Windows bug was a local privilege escalation attack. It needs to be fixed, but the Google Chrome bug was the bigger issue here.

    • Nope, Chrome works fine on our lab's Linux blades

      Why would we downgrade them to Windows 10?

  • needlessly jargony?

    Why not say what it is in plain english... a newly discovered or previously unheard of exploit or vulnerability.

    And if it's not that, then it's not zero-day, by definition.

  • So, I've got a Window 10 box, that apparently Chrome can't update itself on, instead giving this message:

    https://twitter.com/MrDanack/s... [twitter.com]

    Which is obviously not a good sign as blocking the security updates seems like a thing an infection would like to do.

    Anyone know of how to tell if a box is actually infected or not?

    • by Anonymous Coward

      It has Windows 10, it is infected. Don't you mean how to tell if there also is a competing product on the box?

    • So, I've got a Window 10 box, that apparently Chrome can't update itself on, [...]
      Anyone know of how to tell if a box is actually infected or not?

      You're running a browser that phones home to Google on a system that phones home to Microsoft. The answer is yes. Your box is actually infected with at least two trojans that you deliberately chose to have it infected with.

  • what is the use case to have a browser expose some API for random websites to read files on user computer? or what is this API if not that?

  • People keep telling me tools will help prevent this kind of shit for C(++). Google has fuzzers and memory checker tools out the ass, still these bugs get through.

  • If people were to use shared_ptr, vectors and std::string many of these errors could be prevented.

Keep up the good work! But please don't ask me to help.

Working...