Chrome 0day is being exploited now for CVE-2022-1096; update immediately

From those commits, would you say this is RCE vulnerability taking advantage of memory/stack callbacks? Does this mean an attacker may exploit this vulnerability to compromise an entire system?

Interesting, I’ve never seen the “maybe_db” style of variable naming. Makes sense but looks weird.

Release 99.0.4844.84 has borked my JS canvas library. Currently working on a fix - it was my misunderstanding of the purpose of the CanvasAPI willReadFrequently flag that left the library open to a severe speed degradation.

In my defence the documentation implies that the willReadFrequently flag is only a hint to the browser, to take a different approach when performing getImageData() operations[1]. However setting the flag to true also impacts drawImage() functionality[2].

I tried reporting the issue as a bug last night - at the very least the issue needs to be documented - but the form for reporting issues kept collapsing on me so I gave up.

[1] - https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasE...

[2] - minimum demo of issue - https://codepen.io/kaliedarik/pen/bGaqMVj

I just upgraded to this and noticed the Reading List has changed design again! They must have gone back and forth thousands of times on this so hopefully this is the final version.

It's definitely not yet out for Android.

On my device the version is stuck at: 99.0.4844.73

What you're asking for will probably put you more at risk than V8 does:

1) JavaScript engines with any kind of usable performance are inherently complex

2) V8 is hardened, battle-tested and fuzzed/verified by the best engineers at Google and indepentently by third party researchers, since inception - the engine you will be using probably won't be

All of this is really a side-effect of Chrome's popularity and Google's resources, even the CVE itself. You would be relying on security by obscurity(in which obscurity = no big userbase = not a high value target). Have a look at payouts for RCE-capable V8 bugs.

>Is there a safer JavaScript engine folks can use without having to worry about this sorta thing? Even if it's slower, less compatible, more resource-intensive, etc.?

You can disable JIT in firefox[1], which makes it fall back to an interpreter. That should theoretically make it safer as there are less optimizations going on and less generated code being directly executed by the CPU.

[1] https://github.com/arkenfox/user.js/blob/b4225baaf2f8d15f856...

If you're worried about browser vulnerabilities in the javascript engine, have you considered disabling javascript by default and enabling it per-site on just the sites that you trust?

Microsoft has added some mitigtions to Edge a few months ago as defense in depth - wondering now if this is actually exploitable on Edge or if their mitigations prevent it? Any Microsoft/Edge security people on here?

Update: found the original blog from Microsoft, they call it Super Duper Secure Mode: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...

> I feel like, in most cases, I could make due with JavaScript being 10x or even 100x slower, taking up 10x the RAM, lacking some uncommon features, and so forth -- if it meant being able to enable it without needing to worry about new zero-days.

Not on the "modern web" you wouldn't, even the current speedy versions of V8 and ${whatever}monkey now used by Firefox the thing often is brought to a crawl by the deluge of Javascript. Imagine your current browser, only 100 times slower and 10 times more memory-hungry.

Nope, the solution lies in getting rid of most of the Javascript on most pages. uBlock and uMatrix can help a bit but the real solution lies with web developers. If and when that goal is achieved it would be possible to browse the web using a slow-but-'safe' browser. Some pages (e.g. SPAs) really depend on all that Javascript and as such won't be useable withour 'modern' JS engines but there is no reason for e.g. your bank or payment processor's pages to depend on near-native speed Javascript engines.

Maybe JIT-less V8: https://v8.dev/blog/jitless

Don't forget that there is a sandbox. Even if there is a vulnerability with V8 you need to pair it with a vulnerability with the sandbox to exploit the system.

There are certainly other javascript implementations. For example, here's one I stumbled upon recently that's written in plain Go: https://github.com/dop251/goja

Of course, it won't help you since it's not built into a web browser.

For Windows, IE11/Trident. This may sound ridiculous, but if you think about it, it's still maintained security-wise (and will be forever, as per MS), and since its codebase has been frozen a few years ago, its attack surface can only shrink with time.

So if you're OK with the limited compatibility, it might be worth considering.

I like that in chrome one can turn off javascript and images by default, then re-enable it for select sites only, or leave a tab open to re-enable it temporarily only.

You are making the assumption that an engine with fewer optimizations that runs slower will be safer by default, but I fail to see the connection between the two.

Yes ! Computer Emergency Response Teams (CERT)[1] exist in most countries and publish security advisories as newsletters or RSS. e.g. CERT-EU security advisories [2]

But there are so many softwares and exploits that the signal to noise ratio is low if you are not in charge of a big IT infra.

[1] https://en.m.wikipedia.org/wiki/Computer_emergency_response_...

[2] https://cert.europa.eu/cert/newsletter/en/latest_SecurityBul...

I subscribe to debian and openbsd security advisory email lists, which works for me generally to know what is going on in the space(s) I care more about:

https://lists.debian.org/debian-security-announce/ (this one covers security updates to many packages, but not as much as CVE advisories cover, windows, etc)

https://www.debian.org/security/

https://www.openbsd.org/mail.html (ctrl-f for security, but unlike the debian ones, this only covers patches to the base OS, not other packages).

But for you of course it would depend on what you run and what matters to you.

funny enough, was asking my self the same question yesterday after 5-minute googling didn’t get me anywhere. I see a recommendation mentioned below, but as I also saw, hard to find something where you can control signal to noise ratio

I use apt and it didn't update to this vulnerable version in the first place, so there's that

> monitor all outbound network connections with a gui prompt that defaults to deny. whitelist trusted domains/ip for a better experience and a bit less security.

> bonus points if the filtering happens upstream at a router or wireguard host so a compromised machine cannot easily disable filtering.

Is it possible to combine these two with open/tinysnitch somehow? It'd be nice to easily build a whitelist but with the way Windows works I couldn't trust any firewall that was running on Windows itself.

We have already tested and global rollout started earlier today.

Yeah wondering if this also a 0 day for node.js and electron apps...

There's an update for the desktop browser: https://vivaldi.com/blog/desktop/minor-update-five-5-1/

I did the same. But the web is basically unusable for me now and devs seem unsympathetic.

Visual Studio Code is built with Electron. VSCode has lots of extensions available. Can a VSCode extension exploit this 0day?

If your Electron app executes third party, remote code. But if it does, you should definitely not use it.

Basically everyone seems to be getting hacked. It's like all the hackers in the world snorted something and have been hacking nonstop all month.

Every browser has updates every couple of weeks (without bringing nothing new). Quality of SW development has plumeted.

If you mean in-the-wild, then yes: https://securityboulevard.com/2022/03/google-chrome-cve-2022...

I believe more details are usually published after most people are given a chance to update.

Let's give people a chance to update before spreading these please

See https://www.reddit.com/r/qutebrowser/comments/tpuqj5/qutebro... - it seems to be, unfortunately.

Why wouldn't it be? It uses Chromium (via QtWebEngine) by default.

Yes

I don’t know if you’re joking or not, and I say this as someone who uses Edge as their primary browser, but Edge does not improve the situation you describe. Edge is just a flavor of chromium at this point and absolutely gives Chrome a run for its money in the tracking and telemetry department.

Heh, my corp locks down the edge updates and bundles them with the OS updates. Edge is going to be vulnerable to this one for months maybe a year longer that chrome.

Windows 10 is definitely spyware. So migrating to Edge is hardly a solution. Chromium on the other hand...

It feels to me like the entire os security model is broken and leaving security up to applications even well resourced ones like chrome is a fools errand.

Is there anyway we could benefit from starting again and building a secure os from first principles? Isn’t this one of Fuscias goals?

There is no indication yet that this is due to complex web standards. It could be, but we literally dont know what the bug is yet.

Dont think this has todo with web standards, its probably JIT related. Google should just turn that off, majority of 0 days seem to be because of that.