Chrome and Edge browsers both at risk — how to protect yourself now [Update]
Chrome and Edge browsers both at risk — how to protect yourself now [Update]
Updated with Google releasing a fix for this flaw.
Heads up: There'south another serious security flaw in Google Chrome, Microsoft Edge and similar web browsers, with no fix available yet.
The flaw was revealed on Twitter yesterday (April 12) by security researcher Rajvardhan Agarwal, who posted an image of a locally housed spider web page "popping a calculator," i.e. demonstrating remote command of a PC past launching the calculator app.
- Chrome vs. Firefox vs. Border: Which browser gobbles up the virtually RAM?
- Best internet security suites
- Plus: CS: Go could infect your PC with malware — and Valve hasn't fixed it
Merely here to drib a chrome 0day. Yeah yous read that right.https://t.co/sKDKmRYWBP pic.twitter.com/PpVJrVitLRApril 12, 2021
Agarwal linked to a GitHub page from which you lot tin download a proof-of-concept exploit — a benign hack — that y'all tin try at home. Bleeping Figurer replicated the flaw, equally seen in the video beneath, although it didn't piece of work for us for some reason.
In his initial tweet, Agarwal called the vulnerability a "naught-twenty-four hours" flaw, but that's not strictly right as it'southward really the same flaw that two other researchers used to hack into Chrome at the Pwn2Own hacking contest last week.
The flaw lies in the V8 JavaScript engine used by Chrome, Edge, Opera, Brave, Vivaldi and several other browsers, all of which are based on the Chromium open-source browser maintained by Google and all of which are vulnerable to this exploit. Agarwal used recent changes to the public V8 code to reverse-engineer the Pwn2Own exploit.
If you lot use i of these browsers, don't fret just yet. The exploit won't piece of work on its own because Chromium-based browsers are "sandboxed" so that (most) exploits affecting them won't "escape" onto the total Windows, macOS or Linux organization on which the browser is running.
Mobile versions of these browsers are also sandboxed, but there's no evidence that this affects them besides.
Non-Chromium browsers such as Mozilla Firefox or Apple Safari are not affected past this flaw.
How to avoid this nasty hack
To become Agarwal'due south exploit to work, the browser sandbox has to be disabled. You tin can exercise that in Windows by typing the Chrome awarding filepath in a command-line window with the suffix "--no-sandbox". A new Chrome window will open up with no sandbox protections.
Unfortunately, malware can disable the sandbox, too. An attacker could utilise another method to infect your PC, Mac or Linux box, and then the running malware could use Agarwal'due south exploit to disable sandbox and have over your machine.
So brand sure you're using one of the best Windows x antivirus programs or best Mac antivirus programs to prevent infection.
At that place's no official timetable for when the fix for this flaw will exist pushed out to Chrome, Edge and related browsers, only odds are it will be inside the next few days. [See beneath.] Google has pushed out several other emergency updates to Chrome and Chromium in the past few months.
Update: Google patches the flaw
Afterward this story was posted April 13, Google quietly pushed out an update that fixed the V8 flaw and another flaw related to the Blink browser rendering engine. The updated versions of Chrome and Chromium are both 89.0.4389.128.
Brave and Edge both appear to besides accept released updates based on the latest version of Chromium, Brave's version number matching Chromium'due south and Edge going to 89.0.774.76. As of this writing, Opera (75.0.3969.171) and Vivaldi (3.7.2218.52) were both using versions based on previous versions of Chromium.
To update Chrome, Edge or Dauntless, click the settings icon on the top right of the browser window and curlicue down looking for something marked "Near" at or about the bottom of the menu. "About" may as well be hiding in a "Assistance" fly-out menu.
In Opera and Vivaldi, starting time by clicking the browser icon at the summit left of the window, then whorl down to "Help" and click "About" in the fly-out carte du jour.
When you lot select "About," a new tab will open up that volition either tell y'all that your browser is up-to-appointment or that you demand to relaunch the browser to finish installing the update.
Linux users will generally take to run that day's update bundle from their distribution to get the latest version of their browser of choice.
'Insufficient validation'
The V8 flaw found by the Pwn2Own competitors was categorized past Google every bit due to "insufficient validation of untrusted input in V8 for x86_64."
This hints that you can trip up V8 by feeding it JavaScript that it tin can't handle. The didactics-set specification "x86-64" — in other words, 64-bit Intel/AMD chipsets — implies that the flaw may not bear upon 32-bit versions of Chromium browsers or other chipsets, but nosotros really don't know.
The Blink flaw, credited to "Bearding," was characterized simply as a "use after costless in Blink." That ways that it's possible to "reuse" retentiveness freed upwards by Blink to attack Chromium.
Whoever "Anonymous" is, they'll get an unspecified amount of bug-bounty coin from Google.
Sadly (or not) for Bruno Keith and Niklas Baumstark, the finders of the V8 flaw, they're ineligible for a Google problems bounty considering they're already splitting $100,000 in prize money from their Pwn2Own win.
Source: https://www.tomsguide.com/news/chrome-and-edge-both-at-risk-how-to-protect-yourself-now
Posted by: talbothistion.blogspot.com
0 Response to "Chrome and Edge browsers both at risk — how to protect yourself now [Update]"
Post a Comment