Posts

Google fixes sixth Chrome zero-day exploited in the wild this year


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

The Sixth Circuit Also Makes A Mess Of Section 230 And Good Internet Policy

Yesterday we wrote about a bad Section 230 decision against Amazon from the Third Circuit. But shortly before it came out the Sixth Circuit had issued its own decision determining that Section 230 could not protect Amazon from another products liability case. But not for the same reason.

First, the bad facts, which may even be worse: the plaintiffs had bought a hoverboard via Amazon, and it burned their house down (and while two of their kids were in it). So they sued Amazon, as well as the vendor who had sold the product.

From a Section 230 perspective, this case isn’t quite as bad as the Third Circuit Oberdorf decision. Significantly, unlike the Third Circuit, which found Amazon to be a “seller” under Pennsylvania law, here the Sixth Circuit did not find that Amazon qualified as a “seller” under the applicable Tennessee state law. [p. 12-13] This difference illustrates why the pre-emption provision of Section 230 is so important. Internet platforms offer their services across state lines, but state laws can vary significantly. If their Section 230 protection could end at each state border it would not be useful protection.

But although this case turned out differently than the Third Circuit case and the Ninth Circuit’s decision in HomeAway v. City of Santa Monica, it channeled another unfortunate Ninth Circuit decision: Barnes v. Yahoo. In Barnes Yahoo was protected by Section 230 from liability in a wrongful user post. After all, it was not the party that had created the wrongful content. Because it couldn’t be held liable for it, it also couldn’t be forced to take it down. But Yahoo had offered to take the post down anyway. It was a gratuitous offer, one it didn’t have to make. But, per the Ninth Circuit, once having made it, Section 230 provided no more protection from liability arising from how Yahoo fulfilled that promise.

Which may, on the surface, sound reasonable, except consider the result: now platforms don’t offer to take posts down. It just doesn’t pay to try to be so user-friendly, because if the platform can’t get things exactly right on that front, they can be sued since, per the Ninth Circuit, Section 230 ceases to provide any protection. (And even if the platform might not ultimately face liability, it would still have to face an expensive lawsuit to get there.) So thanks to this case the Ninth Circuit ended up chilling platform behavior that we would have been better off instead encouraging to get more of. It may have won the battle for this person (their lawsuit could proceed) but it lost the war for the rest of the public.

This case from the Sixth Circuit presents a similar problem. Amazon did not have to do anything with respect to hoverboard sales, but it created liability problems for itself when it tried to anyway. Eventually it banned them, but more at issue is that it sent an email to purchasers indicating that there had been reports of problems with them:

“There have been news reports of safety issues involving products like the one you purchased that contain rechargeable lithium-ion batteries. As a precaution, we want to share with you some additional information about lithium-ion batteries and safety tips for using products that contain them.” The email included a link for the “information and safety tips,” a link “to initiate a return,” and a request that the recipient “pass along this information” to the proper person if the hoverboard was purchased for someone else. [p. 5]

The plaintiffs argued that the email Amazon sent was not enough of a warning and that it should have been more clear about the fire hazard. [p. 6] The Sixth Circuit did not decide whether it was adequate or not. What it did decide, however, was that Section 230 was no obstacle to the litigation continuing to explore that question.

Tennessee tort law provides that an individual can assume a duty to act, and thereby become subject to the duty of acting reasonably.

[…]

In this case, Plaintiffs allege that Defendant gratuitously undertook to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email, that Defendant was negligent in that undertaking, and that Defendant’s negligence caused them harm. The district court held that § 324A was inapplicable to Plaintiffs’ claims because it “contemplate[d] liability to third parties.” (RE 161, PageID # 2221–22.) And the district court also held that Plaintiffs forfeited any § 323 claim. The first holding was erroneous, and the second we need not address.

[…]

Plaintiffs argue that Defendant undertook to warn Plaintiff Megan Fox when it sent her the December 12, 2015 email, and that Defendant’s negligent warning caused physical harm to the other members of her family. Accordingly, while Defendant’s liability to Plaintiff Megan Fox is properly governed by § 323, Defendant’s liability to the other members of her family is properly governed by § 324A.7 See Grogan, 535 S.W.3d at 872–73. Thus, the district court’s holding that § 324A was inapplicable to Plaintiffs’ Tennessee tort law claim was erroneous.

Applying § 324A to the facts of this case, Defendant chose to send the December 12, 2015 email to Plaintiff Megan Fox, and in doing so plainly sought to warn her of the dangers posed by the hoverboard.

[…]

Thus, we hold that Defendant assumed a duty to warn Plaintiff Megan Fox of the dangers posed by the hoverboard when it sent her the December 12, 2015 email. [p. 13-16]

The decision’s explanation of how tort law works is not striking. The problem is that all sorts of state tort law could reach the Internet, and strangle it, if state tort law could reach platforms. And here is a court saying it can, despite the existence of Section 230 generally saying that it can’t.

In a way, though, this case is much less dire for the Internet than some of the other cases we’ve discussed, like Oberdorf, HomeAway, and the Court of Appeals ruling in Armslist. Platforms can still avoid liability. But they will avoid it by curtailing the sort of beneficial activity Section 230 normally wants to encourage. In letting these state law tort claims go forward the decision reads as a big warning sign for platforms not to bother trying to help their users in similar ways. Amazon did not have to send an email, but by trying to reach out to users anyway it tempted trouble for itself it could have avoided if it had instead done nothing.

But if that fact doesn’t pull at the heartstrings, remember that the precedent will apply to any other platform, no matter how small. The moral of this story is that it is much safer for all platforms to do nothing than to try to do something. If trying to be helpful to users causes platforms pick up duties that they otherwise would not have had and face liability for not fulfilling them well enough, they won’t. They will be discouraged from trying, even though the public would be much better off if they were instead encouraged to continue these efforts. Curtailing Section 230 to allow state tort law to reach platforms now means that instead of getting more of the user-friendly behavior Section 230 tried to encourage, we will now get less.

Permalink | Comments | Email This Story

Techdirt.

Lewis University ranked Sixth in 20 Best Online Masters in Cyber Security for 2017 – The Herald-News

Lewis University ranked Sixth in 20 Best Online Masters in Cyber Security for 2017
The Herald-News
ROMEOVILLE – Lewis University's Master of Science in Computer Science with a concentration in cyber security was ranked sixth among the 20 Best Online Masters in Cyber Security for 2017 by CyberSecurityDegrees.com. For CSD's annual ranking of the …

and more »

computer security news – read more

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed – Data Protection Report


Data Protection Report

Sixth Circuit: Suit Challenging Data Breach Caused by Hacking May Proceed
Data Protection Report
The U.S. Court of Appeals for the Sixth Circuit concluded that certain allegations of harm after a data breach caused by hacking are sufficiently concrete to confer Article III standing. This case may make it more difficult for companies defending data

and more »

“data breach” – Google News