Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Chrome Google Security IT

Google Issues Third Emergency Fix for Chrome This Year (theregister.com) 24

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. From a report: The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year. One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.
This discussion has been archived. No new comments can be posted.

Google Issues Third Emergency Fix for Chrome This Year

Comments Filter:
  • more competition (Score:5, Insightful)

    by awwshit ( 6214476 ) on Friday April 15, 2022 @01:47PM (#62450166)

    This is why we need more competition in browsers.

    • by shanen ( 462549 )

      Why isn't it modded insightful? Lack of solution approaches?

      Anyway, I would have worded my response as "In diversity there is also strength".

      However in terms of solutions, the lack of diversity could actually be a good thing. If only the dominant players would focus on the money that is motivating the serious criminals. Instead, they focus on their own money and increasing their own profits and "Live and let scam" should be the corporate motto for all the big corporations I know of.

      Proof and disproof of con

    • by antdude ( 79039 )

      We have several, but they need to be better. However, Edge is not really a competitor since it uses Chromium too.

      • Until someone else makes a chromium competitor we are pretty much stuck with chrome/chromium and firefox. There are a number of large tech companies that can afford to do it.

  • OMG Google fixed another BUG... Google BAD!

    Haters gonna hate...

  • Surely they used Rust and this should not be an issue, right?
  • It's called Firefox or literally "anything but your shit". I don't run software from censors. Chromium? Maybe, but my last choice. It's still too close to the tree.
    • Yeah, Firefox has a lock on security. [mozilla.org] It has no vulnerabilities, right?

      • That wasn't at all the point. Firefox isn't run by a censorious bunch of assholes [wikipedia.org]. All browsers have had vulnerabilities. Google Chrome carries water for the man because it's from the fucking Man. It's not hard to understand, but keep pretending like I was talking about vulnerabilities. That will keep Google's Censorship out of the conversation.... maybe.
  • Used reinterpret_cast (some_other_class_ptr) and no one saw it in code review? (Please imagine the gt and lt symbols where needed)
    • Google is not allowing their github repository for the bug fix to be viewed by the public, so we won't know the actual cause of the errors for a while. I'm getting a permission denied error while trying to view the bug fix, and Google's page says they are restricting access to the bug information until the majority of Chrome users have updated.

  • by Virtucon ( 127420 ) on Friday April 15, 2022 @02:19PM (#62450254)

    If Google is pushing out zero-day fixes, it's a good thing. While we know they've addressed CVE-2022-1364 [googleblog.com] that other zero-day vulnerabilities will be found. As long as there are bad actors including governments who want to compromise your systems and data they will find use any vector available. I find it refreshing that they actually came up with a fix and released it within two days. I'm also wondering how long the exposure would have been available to bad actors?

  • In some languages [...] the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.

    I could also win the lottery three times in a row.

    • This context is more like a car could be driven to the grocery store, it could be driven to the hardware store, it could be driven to school.

      Bad guys can use type confusions to do bad things, in the same way they can use cars to go to bad places. In this case, bad guys ARE using this particular one to do bad things. That's why it's posted here.

      On Tuesday, Microsoft released patches (or partial patches) for 117 vulnerabilities in Windows, plus 17 in Edge. Any of those could be used by bad guys to do bad th

  • Would this affect not just the Chromium browser, but also anything using Chromium, like Electron apps? That might be real target, stuff like Teams and Slack

  • Don't use Python they said. You'll get type errors they said.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...