Google Chrome emergency update patches 0-day vulnerability
Google released a Chrome web browser update to address a security issue in the browser that is actively exploited in the wild.
Chrome 100.0.4896.127 has been released for all supported desktop operating systems -- Windows, Mac and Linux -- to address the issue. The update is being rolled out over time as usual, but Chrome users may speed up the installation in the following way:
- Select Chrome Menu > Help > About Google Chrome, or load chrome://settings/help directly.
The page displays the installed browser version. A check for updates is performed when the page is opened in the browser. Chrome should download and install the update automatically at that point.
Google announced the release on the company's Chrome Releases blog, but did not provide many details on the issue. The vulnerability is listed with a severity rating of high, the second-highest after critical. It is a Type Confusion in V8 issue, Chrome's JavaScript engine. These type of vulnerabilities may lead to the execution of arbitrary code, and it appears that this is the case for the vulnerability that Google disclosed on the blog.
The company notes that it is aware of an exploit that is actively used against the vulnerability:
Google is aware that an exploit for CVE-2022-1364 exists in the wild.
Google did not provide specifics; this is common, as companies that release security patches want updates to be rolled out to the majority of users and devices first. The premature release of information could result in the creation of exploits by other malicious actors.
Google released three zero-day vulnerability updates for its Chrome web browser this year. Other Chromium-based web browsers may also be affected by the issue. Security updates for these web browsers will likely be released soon, provided that the issue affects these browsers as well.
Chrome users may want to upgrade their browser as soon as possible to protect it against attacks that target the 0-day vulnerability. Users who use other Chromium-based browsers may want to check for updates or news regularly to make sure their browsers do get patched as well.
Google’s fuzzing infrastructure has zero to do with market share, and the few hundred test devices that do the fuzzing could easily be matched by Mozilla or Apple for a small dollar amount if they found 60 million tests per day to be useful. The fact is, it was V8 once again that got pwned by the script kiddies. No amount of fuzzing helped them avoid it this time.
>Google’s fuzzing infrastructure has zero to do with market share
Never said that it was, I used market share as a source that Chromium has much more researchers than Firefox
>and the few hundred test devices that do the fuzzing could easily be matched by Mozilla or Apple for a small dollar amount if they found 60 million tests per day to be useful.
Just because Mozilla and Apple don’t do as much fuzzing as Google if at all doesn’t mean that it’s not substantial, most security bugs are detected with fuzzing alone
https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html
>The fact is, it was V8 once again that got pwned by the script kiddies. No amount of fuzzing helped them avoid it this time.
What is your point? Obviously fuzzing is not a silver bullet
>”most security bugs are detected with fuzzing alone” [source – Google press release]
Apparently not this one.
Reading everything instead of cherrypicking a single claim that you want to refute is so difficult?
The V8 JavaScript engine has been hit with exploits many times, and here is list of recent V8 exploits: CVE-2022–1364, CVE-2022–1096, CVE-2021–4102, CVE-2021–38003, CVE-2021–37975, CVE-2021–30633, CVE-2021–30563, CVE-2021–30551, CVE-2021–21224 and CVE-2021–21148.
There has been only one type confusion vulnerability in Spidermonkey in 2019, (CVE-2019–11750).
Mainstream browsers are secure, until they are not.
@Monopoly
> Mainstream browsers are secure, until they are not.
Implying that the issue wasn’t resolved very quickly, or what are you trying to say here?
CVE counting is a very inaccurate and misleading method generally used by security charlatans. Most security fixes don’t receive CVEs, not to mention the robust fuzzing infrastructure of Google and more research thanks to the higher market share. Does Mozilla have that?
https://arxiv.org/abs/2105.14565
https://blog.chromium.org/2012/04/fuzzing-for-security.html
It appears Firefox does or did use fuzzing, from Google themselves no less.
https://github.com/google/oss-fuzz/tree/master/projects/firefox
ClusterFuzz is impressive on paper, but if it is really so effective, then why are there so many zero days in Chrome? It’s been in operation since 2012, so it’s not like they haven’t had the time.
ClusterFuzz doesn’t always get the correct inputs or parameters to find a problem. A good read on this topic is Tavis Omandy’s post-mortem report on the NSS vulnerability where he talks about fuzzing’s limitations: https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
Nothing is perfect, ClusterFuzz detects most security bugs, but not everything. Just like vaccines are never 100% effective :)
It’s a type confusion vulnerability in the V8 JavaScript engine, which is not used by Firefox or Pale Moon. And of course, as is nearly always the case, people who disable scripts from running client-side in their browsers would be immune. Score another point for script-free browsing.
People saying that it is only exploited because Chrome/chromium is used by more people are most likely spreading a fallacy. The types of tests that are developed by black hats to probe for exploits are applied to all the js engines used by browsers. If you think they aren’t probing SpiderMonkey, JavaScriptCore and Chakra with the same intensity that they are probing V8, you are being willfully ignorant. Google, for whatever reason, has just simply chosen to continue to employ an engine with a lengthy history of these types of vulnerabilities. No one has forced them to continue to use V8.
Tsk! No single day goes by without discovering a security loophole in Chrome/Chromium.
@Uwe
I challenge you to name one browser that is more secure than Chromium. I‘ll wait, and don‘t make me laugh.
LibreWolf, Mull, Lynx, Arachne, Tor.
@Andy Prough @Aluminium
You do realize that there is a difference between “security” and “privacy”, right? Security = resistance against exploits.
> LibreWolf, Mull, Tor
All based on Firefox, they inherit FF’s security issues: https://madaidans-insecurities.github.io/firefox-chromium.html
> Lynx, Arachne
Yeah, I guess. If you support no modern feature, you also can’t be hacked. Congrats, challenge fulfilled. Now your (even greater) challenge would be to actually use those two on the modern web, good luck with that.
Face the facts, there is no browser that is both usable on the modern web and more secure than Chromium.
Thank you for the congrats. I respectfully disagree with your assumption that Firefox is less secure based on what some random obscure blog claims. There are only a handful of people who have the experience and knowledge to make such a claim with any kind of authority. If the blogger worked extensively on both the Chromium and Mozilla projects then maybe he can make such judgments, if not then he is just guessing. Things that work in theory don’t necessarily work the same in real life. I find many dislike Firefox more for political reasons than technical ones, which make them have an unreasonable bias.
As far as browsing on the “modern” internet, the main thing a browser needs is TLS 1.2 and 1.3 support. With many sites going https only it’s becoming a more critical feature. Surprisingly many sites can work without scripting, like ghacks for example.
This “random obscure blog” is made by a known security researcher who is an active contributor to Whonix. The post links to other security experts who says the same thing as him.
Your criteria for who should dictate judgements on browser security is simply flawed.
Extensively working on both Chromium and Mozilla projects significantly narrows down the amount of people who can critique Firefox, as if security researchers are just blind when they’re not working on the project they’re analysing.
The only thing less credible than an “random obscure blog” is a random Anonymous message board poster. Look closer at some of the people he’s referencing. Some questions to ask, who do they work for, could they have any conflicts of interest, do have they have a history of making exaggerated claims, do they have any personal axes to grind?
The blogger also spends a lot of time talking about sandboxing. Sandboxing is one of those things that work great in theory, on the other hand look at how secure Java is.
>”Security = resistance against exploits.”
I’m pretty sure that people like you and I are able to protect ourselves for the most part. You seem like a wise and serious person, and I have no doubt you are able to browse the web securely, regardless of your browser. I try out various browsers, but whatever browser I use, I have all scripting disabled by default. If I don’t need the site and it doesn’t function without running js, then I simply don’t go to that site. I do most of my internet reading and researching in a text-based browser that has no javascript engine at all, and in a text-based rss feed reader. As you well know, the internet is a playground for international crime syndicates and spy organizations. No need to get caught up in their games.
Tor Browser, no contest. The defaults are vastly more secure than chromium’s.
Pfft and firefox is supposedly insecure.?.
The chromium code is constantly needing patching which means vulnerable browsers all the time.
patching it next week and the weeks afterwards for a single exploit which you the user have a 50/50 chance of coming across.
No such thing as a secure browser if it is leaking like a sieve.
Millions drank the kool-aid and now have a sore throat lol
The bad guys see no point or value in targeting Firefox and its userbase, which are 99.99% +60 year old prepper men who still live in 2001 and think those 3 nude pictures of Marilyn Monroe stashed away in triple encrypted partitions are somekind of valuable state secret that must be guarded from the Russians and the Chinese even if it means dying while doing so. ‘MURICA GODDAMMIT! ‘MURICA!
Kind of, sort of, maybe? It’s not that Firefox is more secure, but based on user share all the attacks are geared towards all Chromium based browsers for the shear numbers. I’m sure when exploits are found in Chromium Mozilla looks at their code. Both browsers use totally different technologies, so one is not better than the other.
lol what an ignorant reply…
I mean Show proof this vulnerability is even so terrible and insecure Firefox is a better alternative.
Maybe it is for business or whatever I don’t even care about, but for normal users?
Also, if you didn’t notice, Firefox is almost at 100 version, what do you think they updated it besides few features here and there? security issues and bugs.
I mean, are you 12 or something? this is not like even important, it’s just an update that probably will not affect anyone one either way. Only because they patch it doesn’t mean some hackers are fighting to exploit it to hack and steal your whatever so important information (useless and lifeless) you have in your computer anyway.
@computer said no
That Firefox with a 25 times smaller user base has „less“ vulnerabilities only proves that hackers don’t take much interest in Firefox. It is clear that Firefox lacks important exploit mitigations which Chromium does have: https://madaidans-insecurities.github.io/firefox-chromium.html
Further, merely counting security issues is a bad measure when comparing two similar products. Counting security issue does not answer 1) how popular any given application is, which is a prime motivator for hackers, as said above and 2) how hard a given hack was, i.e. which countermeasures had to be circumvented to achieve the hack.
You use a browser that is materially more insecure. You shill it as more secure here based on a metric (absolute number of security issues) that is flawed and tells you nothing of importance. My question would be: Why?
This vulnerability is a very serious “zero-die attack” security hole.
Type Confusion in V8″ vulnerability caused by an issue with the JavaScript engine “V8” of the platform “Chromium”, which can lead to arbitrary code execution.
Google confirmed that an exploit against “CVE-2022-1364” exists in the wild.
The “Chromium” based web browser has released (Three cases) emergency updates in quick succession due to the discovery of a series of zero-day vulnerabilities. Naturally, other Chromium-based web browsers also manifest “this incident”, so the use of browsers (such as Opera) to which Chromium “Ver.100.0.4896.127” has not been applied, should be discontinued.
Other Chromium-based web browsers,
https://www.ghacks.net/2022/04/16/vivaldi-and-microsoft-patch-0-day-vulnerability-in-their-browsers/
such as Brave, Microsoft Edge, and Vivaldi have released emergency fixes version (includes fix for CVE-2022-1364).
Opera, a puppet brand of a Chinese company (under the watchful eye of the Chinese government), Left abandoned as usual (perhaps to will be used as a propaganda bot).
Snowden, who exposed the “NSA misconduct,” confessed that the NSA “requested Google (and Microsoft and Apple) to put backdoors in their product programs as state secrets”, and the whole world been already under NSA surveillance.
Microsoft and Apple have acknowledged this fact and admitted their disapproval, saying they will not cooperate with the NSA in the future, but Google remains silent.
This is just my speculation:
I feel that backdoor codes, which are probably hidden and planted in a wide variety of ways, are being discovered and exploited by hackers and others.
Google’s close relationship with the NSA is an open secret. In other words, any program involving Google will never, ever be a clean program, and will continue to have the fate of a “dark program” attached to it, because the NSA’s wishes are given priority.
This is also convenient for Russia and China, which are practically despotic regimes (surveillance states), and Chromium (with backdoors) is probably being used (Russia: Yandex Browser, China: Opera).
In particular, Opera is reluctant to release security patch versions (delaying them as long as possible).
“Propaganda”, a form of information manipulation by despotism autocracy, is a wild discourse that induces people and citizens to think and act in a particular way, but it is easily and effectively spread.
The True Purpose of Propaganda – Rob Henderson’s Newsletter
https://robkhenderson.substack.com/p/the-true-purpose-of-propaganda
Although many citizens are aware that propaganda is false information, the very situation that “the state-run broadcaster continues to broadcast news programs at the same time every day” paralyzes citizens’ sense of caution (distrust) toward propaganda and leads them to demonstrate the extent of the power of state power.
Propaganda-as-signaling.pdf
https://www.almendron.com/tribuna/wp-content/uploads/2020/03/propaganda-as-signaling.pdf
By showing citizens the extent of the power of governments and rulers, it is possible to discourage anti-government behavior even when citizens realize that the government discourse is bullshit. In addition, government dissemination of information can help define “government-approved information” and discourage information that contradicts it.
If a regime engages its citizens in a major absurdity, they are less likely to oppose the regime and more likely to follow it. In other words, regardless of whether citizens believe the propaganda or not, the mere fact that the propaganda can be spread widely is enough to make citizens follow it.
Acting “As If”: Symbolic Politics and Social Control in Syria | Comparative Studies in Society and History | Cambridge Core
https://www.cambridge.org/core/journals/comparative-studies-in-society-and-history/article/abs/acting-as-if-symbolic-politics-and-social-control-in-syria/5441CE10BF55B6D1475D2863C3B4B84F
@Martin Brinkmann
Slightly OT: There is soon going to be a new Chromium-based browser called Hexavalent, which claims to be security and privacy focused: https://hexavalent.org/ https://github.com/Hexavalent-Browser/Hexavalent
Perhaps you could cover this development at some point.
good news, thanks!
@Iron Heart
LOL another marketing scheme in the name of ‘privacy’ the fantasy and lie of the internet? let me guess, they will get search deals or add crypto or some pyramid like scheme to get money in the name of the hoax called internet privacy?
It’s actually like a bad April fools’ joke at this point… are you sure is even real or the developers are just braindead?
I mean, you don’t need to do much, only need to find the name in one of those lame ‘health’ websites from governments that barely tell you anything important, in the case of Hexavalent they do, because it is a known real thing.
But they will all agree about: ‘known to cause cancer’ and bad for respiratory system, kidneys, liver, eyes and skin, etc.
So… well, sounds like an amazing name to have in your browser, no?
Maybe it is their little hidden message to already tell us they will be cancer just like most browser companies are? or somehow they are in the humanitarian plan of making us aware of something everyone should know about?
Anyway, all I know is it will suck, and they will not protect any privacy like no browser does and like no browser can’t, you can literally block every IP of Google or Microsoft (and then, the own respective connections like Vivaldi, Brave, Yandex Opera own IPs) from any browser with a Firewall… 10 Firewalls, hardware and software and adblockers, and even if you ‘don’t send information’ to any of them… what do you think will happen? You will send information to someone, to every website you visit, your ISP, the fraud VPN company will know everything about you, the DNS resolver too, the websites analytics… so, do you think the Gov Agencies will stop because you are using a nobody’s browser with such an ‘interesting’ name? Do you think you will not get spied on only because (backdoored) encryptions and false ‘privacy’ or ‘security’ marketing schemes?
I mean, you always talk about Brave and how amazing it is, and they couldn’t even do a simple thing, don’t censor like you promise you wouldn’t do… They literally censored RT from their news sources and they said Goggles will probably make censorship worst in some countries and if they get a order from governments to do anything they will do it because it is better to avoid getting in trouble than getting removed from Apple or Google store or anything like that.
If they aren’t going to do what the promised, what will make you think ‘Hexavalent-Browser’ with so many stupid things already done by them without even having 1 download release in place because of being ‘at very development stage’ will change anything? At least for now, doing a quick search, it seems the developers are not political in their twitter accounts or anything so there is a little hope about they are not going to be annoying but thinking they will fix the internet and fix privacy is kind of an oxymoron.
I still can’t believe they chose that name though, just awkward.
But seriously, people should stop using words like security and privacy in the same sentence as browser and internet. it is time to stop that for real. It is not a real thing, that’s all I hoped people would get by now.
@Lenin’s Signature
> LOL another marketing scheme in the name of ‘privacy’ the fantasy and lie of the internet?
What is a “lie” and a “fantasy” depends on your expectations, I would say. If you expect to be anonymous from a government specifically targeting you, then yes, perhaps privacy is a lie then for you (although not impossible, I would think, just extremely hard to achieve). If your expectation is to make general mass surveillance via e.g. tracking by advertisers harder, then no, privacy is probably not a “fantasy” or a “lie” then. We do know that various contemporary countermeasures are effective against passive tracking efforts by non-state level adversaries.
I am not the type of person that throws the hands up in the air and totally gives up because I don’t have anonymity from state-level entities. I firmly believe in small, incremental steps of privacy protection, that is, protect your privacy where you can and where you think it necessary. Will this lead to you becoming Mr. Anonymous? No, but it reduces the amount of data theft certain entities can commit against me and thus the amount of money they can potentially earn off of my data. If everyone was doing what I am doing to protect my privacy (without loss of quality of life, mind you!), the data slurping moloch would quickly dry up considerably.
Relatively easy steps to improve your privacy include using a privacy-respecting web browser, a privacy-respecting search engine, an encrypted E-Mail service, degoogled custom ROM, forego smart home devices or assistants like Amazon Alexa etc. None of this leads to you being anonymous if the government specifically targets you, but making passive surveillance on your harder is still worthwhile.
> Maybe it is their little hidden message to already tell us they will be cancer just like most browser companies are? or somehow they are in the humanitarian plan of making us aware of something everyone should know about?
I think you are reading too much into a project name that is still in flux.
> you can literally block every IP of Google or Microsoft (and then, the own respective connections like Vivaldi, Brave, Yandex Opera own IPs) from any browser with a Firewall… 10 Firewalls, hardware and software and adblockers, and even if you ‘don’t send information’ to any of them… what do you think will happen? You will send information to someone, to every website you visit, your ISP, the fraud VPN company will know everything about you, the DNS resolver too, the websites analytics…
How about not using Google or Microsoft products? Or in case of Google, since they usually open source their products, how about using degoogled versions of them? There is no need to set up long ass lists of firewall rules if nothing is getting sent in the first place. There are products like Ungoogled Chromium, or /e/ OS or GrapheneOS that don’t send anything to Google even though they are otherwise using Google’s code underneath. Adblockers are effective because website admins usually don’t deploy their own specifically crafted tracking scripts for each and every website, instead, it is usually a more limited range of scripts that is getting deployed en masse on various websites. A notorious one you have surely heard of is Google Analytics, for example. If you block these scripts with an adblocker, you have already found a solution for a broad range of website. There still remains a possibility of first party tracking (or third party tracking that is more limited in scope, like scripts of lesser known ad and tracking networks not as broadly deployed as e.g. Google), but for this, we do have a second line of defenses like anti-fingerprinting measures, partitioning of local data, messing with HSTS and HPKP tracking etc.
Your point regarding one’s ISP is valid, here is depends on the legal situation of your country. What does your ISP need to collect if it doesn’t collect these things voluntarily (privacy policy!)? If your ISP collects a bunch of stuff, voluntarily or forcibly, then you need to take a look at other jurisdictions and their rules, perhaps a VPN legally registered elsewhere has better rules and you have thus improved your privacy vs. relying on your ISP. Also look at important other things with your VPN, like publicly known owners, the VPN having undergone audits, the VPN apps being open source etc.
> so, do you think the Gov Agencies will stop because you are using a nobody’s browser with such an ‘interesting’ name? Do you think you will not get spied on only because (backdoored) encryptions and false ‘privacy’ or ‘security’ marketing schemes?
No, I don’t think Hexavalent is meant to protect you from a government specifically targeting you. If you are being specifically targeted by the government, you would have to think about things like Tor or Tails / Qubes OS most likely. This is not a threat to most of us here though, we don’t need anonymity from our government because we are neither criminals nor whistleblowers. Our concern here generally lies with entities that are less capable than a government specifically targeting you, our concern lies with the data we passively provide to mostly private entities like Google, Facebook etc.
And all encryption being backdoored? No, I don’t think so. Sure, some archaic protocols have been permanently broken, but use of those is being discouraged now. If the government would generally be able to break into all current encryption mechanisms they would not make a big deal out of outlawing (or discouraging) encryption. If it was all backdoored already such talk would not be necessary. Further, we would have to assume that even though the government has supposedly already backdoored everything (and has presumably already caught their targets that way), we never hear of them having successfully done it for various protocols, from anyone, including those they caught. How likely do you think this is?
Governments around the world seem to be highly interested in either outlawing (or at least discouraging) encryption OR in getting access to master keys that equalize or outrank your private keys. If a closed system has master keys, then it is indeed backdoored, but this has nothing to do with the encryption mechanism itself being broken into. It just means that a nasty entity created master keys that are not strictly necessary for encryption to work.
> I mean, you always talk about Brave and how amazing it is
No, I am just saying that it works FOR ME. I strongly believe in their approach of the browser coming preconfigured which is bound to make fingerprinting users harder, it’s the same reason why I discourage using Firefox along with the “hardening approach”. I also think Brave strikes a good balance between security (FF is lacking there, too), privacy, performance, and web compatibility. But so do other browsers like e.g. Bromite. Brave is a solid choice but I don’t advertise it, I am just saying that it works for me and why.
> They literally censored RT from their news sources and they said Goggles will probably make censorship worst in some countries and if they get a order from governments to do anything they will do it because it is better to avoid getting in trouble than getting removed from Apple or Google store or anything like that.
You do know that the EU has decided to take legal action against all forms of RT broadcast, right? If you are doing business there, you would have to remove it, and I am probably sure that being part of the Brave News sources counted as “broadcast”. Brave had no other choice than to remove it. Well, perhaps there was another choice, that is, going to court over the right of another company to be broadcast, but you do know what this would have meant for Brave in today’s climate, don’t you? They figured that going down the second route is not worth it, not least because you, the user, can add whatever source you like to Brave News, including adding back RT if you so wish. It is just no longer part of the default sources due to legal reasons.
While Brave removed RT in order to protect their company in the public sphere, I would at least argue that there was a real damocles sword over it: they would have faced legal action if they didn’t. Compare this to Mozilla, they were posting an article with the headline that “deplatforming was not enough” after the January 6th incident at the Capitol, where they publicly supported wide-ranging censorship of the web. And no, contrary to Brave, there were no legal reasons for this step, they did it because their ideology demanded as much from them. I am not defending any kind of censorship, including that of Brave, but I would still use the browser that removes something because of legal pressure over the browser that would apply censorship voluntarily.
You could also use hobby projects such as Ungoogled Chromium that will never face such troubles as Brave because they will never include something like Brave News to begin with, but using hobby projects comes with its own set of issues, delayed security updates and such, not sure if it’s worth it just to make a statement here.
Just my 2 cents, hope this comment was worthwhile to read.
You are correct. Security is hard and there are no magic approaches or magic bullets for software security. The only advances have come from new hardware methods/features/architecture that software can use, and all developers with sufficient knowledge can take advantage of. Google, all the big outfits have the knowledge, and security is still hard. Everybody is in the same boat waiting for advanced architectures that will be able to gatekeep, isolate and control the mutability of everything. And once that day arrives, everyone will be tossing their old machines.
Thank you, will take a look!
Stop using Chrome,they’re the worst browser for your privacy anyway.
chromium is the new adobe, worse than flash
@henri
Hm, what do “browsers” and “Adobe Flash” have in common? Both are web-facing! And whatever is web-facing is a comparatively easy entry point into your system, hence the interest in hacking these. I bet Adobe Flash was no more or less insecure than other software of its day, it just happened to be out there, being used on the web and was thus an attractive target.
Plus, you are kidding yourself if you think that any other modern browser is more secure than Chromium. Firefox’s spaghetti code that has been playing catchup with Chromium for the past few years, sure isn’t. I guarantee you that.
Hmm, nope.