Tag Archive for: Chrome

Google backs Linux project to make Android, Chrome OS harder to hack

/in


Google said Thursday it’s funding a project to increase Linux security by writing parts of the operating system’s core in the Rust programming language, a modernization effort that could bolster the security of the internet and smartphones .



icon: Miguel Ojeda

© Provided by CNET
Miguel Ojeda

If the project succeeds, it’ll be possible to add new elements written in Rust into the heart of Linux, called the kernel. Such a change would mark a major technological and cultural shift for an open-source software project that’s become foundational to Google’s Android and Chrome operating systems as well as vast swaths of the internet. 

Miguel Ojeda, who’s written software used by the Large Hadron Collider particle accelerator and worked on programming language security, is being contracted to write software in Rust for the Linux kernel. Google is paying for the contract, which is being extended through the Internet Security Research Group, a nonprofit that’s also made it easier to secure website communications through the Let’s Encrypt effort.



icon

© Miguel Ojeda


Adding Rust modules to the Linux kernel would improve security by closing some avenues for hackers can use to attack phones, computers or servers. Since it was launched in 1991, Linux has been written solely in the powerful but old C programming language. The language was developed in 1972 and is more vulnerable to hacks than contemporary programming languages.

Loading...

Load Error

Better security for Linux is good news for everyone but hackers. In addition to the Android and Chrome OSes, Google services like YouTube and Gmail all rely on servers running Linux. It also powers Amazon and Facebook, and is a fixture in cloud computing services.

It isn’t clear if Linux kernel leaders will accommodate Rust. Linus Torvalds, the founder of Linux, has said he’s open to change if Rust for Linux champions prove its worth. Ojeda has proposed 13 changes needed to allow Rust modules in Linux to get things started.

Google already has taken some early steps to make it possible to use Rust for Linux Android. Getting buy-in at the highest levels of the Linux kernel project means many other software projects could benefit, too.

Google credits the…

Source…

Google fixes sixth Chrome zero-day exploited in the wild this year

/in


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

/in


Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.

The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.

While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.

Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.

As is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.

“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,” Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post.

With this update, Google has fixed three zero-day flaws in Chrome since the start of the year.

Earlier this month, the company issued a fix for an “object lifecycle issue in audio” (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.

Chrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

Source…


[the_ad_group id="27628"]

Another Chrome zero-day exploit – so get that update done! – Naked Security

/in


Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.

Patch now, we said.

And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:

The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update that includes 47 security fixes, of which eight have a severity level of High.

In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.

If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.