Chrome's Latest Update: 30 Security Fixes and Bug Details Kept 'Restricted' (hothardware.com) 28
Hot Hardware warns that on Tuesday, the Stable Channel for Chrome's desktop edition "had an update on April 26, 2022. That update includes 30 security fixes, some of them so bad that Google is urging all users to update immediately."
The release notes for Google's Chrome v101.0.4951.41 for Windows, Mac, and Linux has a long list of bug fixes; you can view it here. However, there's also a key statement in that page.
"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."
Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.
"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."
Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.
Oh good (Score:1, Insightful)
Re: (Score:2)
You're kinda making a "have your cake and eat
Re: (Score:2)
Discord is based off Electron. If there's a vulnerability in Chrome, Discord will have it as well as Electron is a subset of the Chrome APIs.
Do you even know what you're talking about? Doesn't look like it.
Re: (Score:2)
But besides that, the main point of the post was the fact that you can't have Discord without scripting; the very thing OP is lamenting, that they should ha
Re: (Score:2)
Nothing of what Discord does requires scripting. We had all this garbage waaaay back in the days of pIRCh98 (including built-in video chat server.)
Re: (Score:2)
Your first statement is wrong. To run through a non-specialised browser, Discord requires scripting. Discord wouldn'
Re: (Score:2)
Back in the day, we also didn't need Macromedia Flash since image presentation and animation was still possible without it for desktop applications. Electron and other browser based runtimes are for people that can't or won't develop for platforms beyond the web before delivering a product for the desktop or another OS. Instead, they just stuff their HTML, CSS, and slow ass JavaScript in a resource heavy, kitchen sink having framework. Lightweight, purpose specific applications are still possible and eve
Re: (Score:2)
Re: (Score:2)
Re:Oh good (Score:4, Insightful)
And if its the usability and features you have a problem with, then don't use Discord
That's often not an option because support features for many games now require Discord. There is literally no other way to seek support. Consequently a whole bunch of people have been roped into using it who had no interest in it whatsoever.
Re: (Score:2)
Re: (Score:2)
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...
Tagon: Your ideas tend to result in unnecessary violence, Sergeant Schlock.
Schlock: And your point is...
Tagon: Let's broaden the definition of "necessary".
Do you think? (Score:2, Redundant)
The story is partially clickbait. Nine criticals (Score:5, Insightful)
The lesson here is recognizing click bait when you see it. Google *always* says users should install the latest updates. Every time they post an update, certain sites proclaim "Google begs Chrome users to update". We see the same headline here on Slashdot every few months. For example, the March 16th bug was bigger issue than than this one, from what I've seen.
Every month I do a series of presentations covering the new security vulnerabilities and updates for the month. One thing I consider is the CVSS scores of each. CVSS measures how critical a vulnerability is based on several factors. Every month, there are 5-15 critical (CVSS higher than 9.0 or above) vulnerabilities in Windows. Every month.
For example, last month's Windows updates had 120 vulnerabilities, of which NINE were critical. Nine.
https://krebsonsecurity.com/20... [krebsonsecurity.com]
Sometimes there are similarly rated vulnerabilities in Chrome. It's not the end of the world. It's monthly patching, just like every month. You patch, or double-check that you have automatic updates turned on, then go on with your day.
Currently there are nine critical vulnerabilities in Windows and one in Chrome. So install updates for both and enjoy the rest of your day.
If you aren't freaked out about the 120 vulnerabilities (nine critical) in Windows, don't freak out about the one in Chrome either. Just update and go on with your day.
Re: (Score:2)
Currently there are nine known critical vulnerabilities in Windows and one in Chrome.
FTFY.
Re: (Score:2)
No. Google does not care about browser security. They do only so much as to not endanger their business model (selling ads).
Re: (Score:2)
I think Chrome is a big part of their ad strategy, otherwise they wouldn't even bother with it as it surely costs them a ton of money to maintain. Likewise, if people don't use it because of security issues, then that won't help their business model will it?
Google normally hides details for about 90 days (Score:4, Informative)
"Access to bug details and links may be kept restricted" just means that the April 26 post is no different from almost every other "Stable Channel Update for Desktop" post over the past several years. When the post first appears, readers don't have permission to view the linked crbug.com pages. Then, about 90 days later, most or all of the crbug.com pages become readable. You can look at https://chromereleases.googleb... [googleblog.com] as an example. If you click on the 1263457 crbug.com link, it now reaches a readable page on bugs.chromium.org - namely, the https://bugs.chromium.org/p/ch... [chromium.org] page. Near the bottom, it says "This bug has been closed for more than 14 weeks. Removing security view restrictions." In other words, details were hidden from mid-December until mid-March. The April 26 bug content would normally be scheduled to become fully public around late July / early August.
A bit too large (Score:5, Insightful)
No software is bug free. However web browsers have become essentially separate operating systems of their own. They not only handle user interface and networking, but they also have virtual machines, memory management, task schedulers, I/O and access mechanisms, USB and other hardware drivers and whatnot.
Looking at Chromium:
https://github.com/chromium/ch... [github.com]
And Linux Kernel mirrors:
https://github.com/torvalds/li... [github.com]
It looks like Chromium receives 2x code updates than the Linux kernel.
Of course some bugs are bound to happen. Shall we "shrink" the browsers? I am not sure, that ship might have sailed. But we should be ready to see more updates like this in the future, not less.
Re: A bit too large (Score:3, Funny)
Re: (Score:2)
For Google the web is the platform. That's why they built Chrome in the first place, to make websites and web apps work as well as native ones. So in a sense it really is an OS.
Re: (Score:2)
Indeed. In comparison to Microsoft, Google and others have actually managed to create a real cross-platform "OS wrapper". With WASM and JIT compilers, code in a browser can get something like 90% native performance (or better) these days.
Re: (Score:2)
I wouldn't say 90%. Even WASM has to run within the DOM itself, which is also why it can't do anything that javascript can't already do. You're still pretty far removed from the metal, even if you compiled from say Rust, which is otherwise considered to be close to the metal.
Re: (Score:2)
Software cannot realistically be bug-free and some bugs will be security bugs (the traditional estimate is 1 in 1000). However, software can be redundant enough in both functionality and security that a single security bug in a specific functionality does _not_ lead to an exploitable issue and hence there is time to patch things. That requires care and a lot of experience and skill though and not many coders have what it takes. Also, this slows things down and makes code creation more expensive. Hence it is
Re: (Score:2)
> Shall we "shrink" the browsers?
No, but it's time to adopt the privilege separation of Qubes/Whonix widely.
That is a normal release (Score:2)
They happened every other week. There is nothing special about it, unless Google warns about some of the issues being used in the wild, or mark them "Critical".
Security Through Obscurity (Score:2)
It's nice to see that Chrome's Development Team sucks so bad that a ham-fisted attempt at mitigating damage through the "I'm not gonna tell you!" Method is the best they could do.
They should have at least released some complicated bullshit smokescreen "explanation" to throw off the bad-guys during the patch rollout; rather than making it even more of a "game" for them...