Serious Chrome zero-day – Google says update “right this minute” (06 MAR 2019)

[Deozaan]

Details are scarce as it seems Google is withholding information until more people have had a chance to update to a version of Chrome which doesn't have the vulnerability. This is the most specific information I found:

According to the official release notes, this vulnerability involves a memory mismanagement bug in a part of Chrome called FileReader.

That’s a programming tool that makes it easy for web developers to pop up menus and dialogs asking you to choose from a list of local files, for example when you want to pick a file to upload or an attachment to add to your webmail.

When we heard that the vulnerability was connected to FileReader, we assumed that the bug would involve reading from files you weren’t supposed to.

Ironically, however, it looks as though attackers can take much more general control, allowing them to pull off what’s called Remote Code Execution, or RCE.

RCE almost always means a crooks can implant malware without any warnings, dialogs or popups.

Just tricking you into looking at a booby-trapped web page might be enough for crooks to take over your computer remotely.

-https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/

I'm curious if this affects all Chromium-based browsers.

[Stoic Joker]

After reading this article: https://thehackernew...gle-chrome-hack.html

I'd be inclined to err on the side of yes ... As it seems to be baked in at a fairly low - likely to be shared - level.

[hamradio]

For Vivaldi you can do: vivaldi://settings/help

The latest version of Vivaldi which uses Chromium for me shows: 72.0.3626.122

[Deozaan]

For Vivaldi you can do: vivaldi://settings/help

The latest version of Vivaldi which uses Chromium for me shows: 72.0.3626.122

-hamradio (March 07, 2019, 09:53 AM)

Then it sounds like Vivaldi has been patched.

the version you want is 72.0.3626.121 [or newer], released at the start of March 2019.

-https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/

[skwire]

The latest version of Vivaldi which uses Chromium for me shows: 72.0.3626.122

-hamradio (March 07, 2019, 09:53 AM)

Do a manual update from the "Help > Check for Updates..." menu item.  Latest Chromium version is 73.0.3683.67.

[Deozaan]

Manual update tells me I'm on the latest version of Vivaldi (2.3.1440.60), where Help -> About tells me it's using Chrome/72.0.3626.122.

[wraith808]

https://www.donation...=35862.msg428264#new

The original link (posted there) is https://chromereleas...ate-for-desktop.html.  They tell the issue number, but when you try to go there, it's blocked from general view.

And I didn't even think about updating Brave and Vivaldi.  Thanks for the reminder!

[mouser]

Thanks for posting this, I've blogged it so other see it. 

[Deozaan]

https://www.donation...=35862.msg428264#new

-wraith808 (March 07, 2019, 12:12 PM)

Thanks for posting that link. I didn't see it because I've ignored that thread because I rarely find its contents "interesting" to me.

[wraith808]

I ignore it quite a bit also, but happened to catch that one 

[hamradio]

The latest version of Vivaldi which uses Chromium for me shows: 72.0.3626.122

-hamradio (March 07, 2019, 09:53 AM)

Do a manual update from the "Help > Check for Updates..." menu item.  Latest Chromium version is 73.0.3683.67.

-skwire (March 07, 2019, 11:24 AM)

Vivaldi is a little behind in the Chromium versions I just wanted to see if it was above the zero-day version.

As it is why I said what I did and also what deo said later...

For Vivaldi you can do: vivaldi://settings/help

The latest version of Vivaldi which uses Chromium for me shows: 72.0.3626.122

-hamradio (March 07, 2019, 09:53 AM)

Manual update tells me I'm on the latest version of Vivaldi (2.3.1440.60), where Help -> About tells me it's using Chrome/72.0.3626.122.

-Deozaan (March 07, 2019, 11:46 AM)

[mouser]

Article: https://arstechnica....zeroday-in-the-wild/