Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine

General discussion about Slimjet, or other issues related to web browser in general.
Post Reply
User avatar
AJ North
Posts: 39
Joined: Thu Nov 05, 2020 3:52 pm

Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine

Post by AJ North »

Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine
JS component seems to be focus of researchers and miscreants alike

The Register (UK) - Wed 14 Apr 2021

Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine.

One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates. This time round the V8 vulnerability is accompanied by a use-after-free vuln in Chrome's rendering engine Blink.

The Blink vuln was discovered during the Zero Day Initiative's Pwn2Own competition last week. No proof-of-concept code has yet been released by legitimate sources, though a very short gif of it in action was published on Twitter by bug hunters Dataflow Security.

Nonetheless, Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 (Blink) and CVE-2021-21220 (V8) "exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week. Having done so, crims then rush out to target unpatched deployments.

Both CVEs were said by Google to be "high" severity, though scoring details and schema were not given. The V8 vuln, explained only as "insufficient validation of untrusted input in V8 for x86_64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.


Article continues at:
https://www[dot]theregister[dot]com/2021/04/14/chrome_chromium_updates_v8_cve_javascript/

User avatar
oftentired
Posts: 1691
Joined: Tue May 13, 2014 3:14 am

Re: Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine

Post by oftentired »

There will always be, another way to exploit browser code.
For those of you who wear aluminum foil hats, the voices lie, don't believe them!

32 Bit SJ on Win 11

User avatar
AJ North
Posts: 39
Joined: Thu Nov 05, 2020 3:52 pm

Re: Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine

Post by AJ North »

True enough.

The Black Hats are legion and they never rest — whether clever hobbyists too young to drive who are drawn to the Dark Side, employees of foreign intelligence services, or out-and-out criminal enterprises directly monetizing their efforts.

However, when companies such as Google or Mitre, or organizations such as CISA, DHS or SANS send up a red flare, personally, I sit up and take notice.

While the features and eye candy of various apps (browsers in particular) may be the most important considerations for some, others are far more concerned with security, privacy, and stability.

Heck, last week some boffins at Vrije Universiteit in Amsterdam and ETH in Zurich published a proof-of-concept for successfully attacking Firefox via JavaScript to effect a "Rowhammer" side-channel attack (dubbed "SMASH") that bypasses all current hardware security (it took them fifteen minutes). Of course, this isn't going to cause a lot of sleepless nights amongst CIOs (yet), but it is a harbinger of things to come (for a number of reasons), and further amplifies your reply, above.

The bottom line is that we are in an endless — and continually escalating — information war, and folks have got to adjust their behavior with computers accordingly.

As with teaching people the basics of how to avoid becoming infected with SARS-CoV-2, those using computers have got to made aware of basic Internet security ("hygiene") — and best practices, that is to think before they act (fans of Old Time Radio may recall the classic line, "Don't open that door, McGee."). We're not in Kansas anymore (and the sky is darkening...).

Post Reply