Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com)

Posted by timothy on from the trouble-in-your-pocket dept.

MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.

107 comments

  1. node.js? by Anonymous Coward · · Score: 0

    Do we know if this affects node?

    1. Re: node.js? by Anonymous Coward · · Score: 0, Funny

      I do not use Chrome nor will I ever.

    2. Re: node.js? by Jorl17 · · Score: 1

      node and chrome have nothing to do with each other besides sharing the JS engine.

      --
      Have you heard about SoylentNews?
    3. Re: node.js? by Guy+Harris · · Score: 2, Informative

      node and chrome have nothing to do with each other besides sharing the JS engine.

      node.js uses a JavaScript engine, as it's written in JavaScript. Chrome is a browser that has a JavaScript engine. So they share even less than that.

      So the question is "does running node.js on V8 render it vulnerable?"

    4. Re: node.js? by x0ra · · Score: 1

      Node's JS engine *is* V8.

    5. Re: node.js? by Guy+Harris · · Score: 1

      Node's JS engine *is* V8.

      Meaning "node.js requires some C++ bindings and there are only versions of those bindings for V8" (or "can only be versions of those bindings for V8", as they're dependent on the way V8 works)? (I.e., better phrased as "the only JS engine on which node.js can run is V8".)

    6. Re: node.js? by Anonymous Coward · · Score: 0

      A substantial portion of node.js's code is written in C++ and wraps the v8 javascript engine. It doesnt run on v8 it uses v8 as a library.

    7. Re: node.js? by x0ra · · Score: 1

      All the js code runs (as in compiled / optimized / executed) on V8. Some portion of node are written in C++ (generally the OS interface), though as the JS -> C++ transition is expensive, node implement most of its API in Javascript. To this extend, Node is merely a wrapper around V8.

    8. Re: node.js? by Anonymous Coward · · Score: 0

      No, no, no. Node.js is written in C++. Here, let me show you:

      https://github.com/nodejs/node/tree/master/src

    9. Re: node.js? by Anonymous Coward · · Score: 0

      Node is an integration of V8 and libuv. It's arguably more about libuv than V8 even.

      The libraries are written in JS. But saying the libraries are written in JS so it's written in JS is like saying that Python is written in Python: it's just wrong.

    10. Re: node.js? by Guy+Harris · · Score: 1

      So the project is named after the one and only JavaScript file in the project? And its relationship to JavaScript is similar to the relationship between a program with an embedded Lua interpreter and Lua?

    11. Re: node.js? by x0ra · · Score: 1

      I fail to see your comment relevance ? Many comments in this thread fail to realize that V8 is the foundation of node...

    12. Re: node.js? by x0ra · · Score: 1

      .*and* in javascript... https://github.com/nodejs/node...

    13. Re:node.js? by niftymitch · · Score: 1

      Do we know if this affects node?

      You have to feed your node server a polluted pile of js and that
      requires the site to be compromised. So yes but....

      For some reason Google just upgraded Chrome.....
      I wonder if it is related...

      Always load two browsers on your device and save one for the days when
      the other is "ill". You got to be on Edge to understand this...

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
    14. Re: node.js? by Anonymous Coward · · Score: 0

      Many comments in this thread fail to realize that V8 is the foundation of node...

      Try not to get sucked in by pedantic trolls. They are either trying to derail discussion of the actual issue or they don't have any insightful comment on the topic but desperately want to say something.

    15. Re: node.js? by Anonymous Coward · · Score: 0

      Meaning "node.js requires some C++ bindings and there are only versions of those bindings for V8"

      Yes just like "Android" requires some C++ bindings and there are only versions of those bindings for Linux. Your question is as moronic as rephrasing questions about Android kernel vulnerabilities to "does Android running on a Linux kernel render it vulnerable". So can you genuinely not understand what he means or are you just pretending to not be able to?

  2. repost by wbr1 · · Score: 4, Informative

    http://slashdot.org/story/15/1...

    --
    Silence is a state of mime.
  3. Chrome non user by __aagigi1968 · · Score: 0, Insightful

    To answer your first question about android users and chrome,well I don't use it at all,I don't like it,and Google already steal enough data about me,so I don't use chrome browser...

    1. Re:Chrome non user by Anonymous Coward · · Score: 0

      Ditto!

    2. Re:Chrome non user by Beardo+the+Bearded · · Score: 2, Insightful

      I use Firefox on my phone.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    3. Re:Chrome non user by Anonymous Coward · · Score: 0

      Yeah, seriously. I'm really pleased with Firefox for Android and NoScript and uBlock Origin work great. Naked Browser is lightning fast and well done; if you use some other adblocker/firewall I'd recommend checking it out--bonus that the developer seems like a cool guy. Pale Moon also has an Android browser but I haven't looked into how it differs from Firefox yet, and really Mozilla did a nice job with their mobile browser, but maybe it's worth mentioning if you already use Pale Moon on the desktop. I would think PM would have implemented the old FireFox Sync (the one where you can sync to your own servers) in their mobile browser too, so that could be a reason to use it.

      A few years ago "Opera Classic" for Android (or whatever the final rename was before it was deprecated and removed; I think it also went by Opera Mobile--I'm not talking about the separate Opera Mini) was a really fantastic mobile browser. Really, Opera had great browsers on flip phones, smart phones and desktops. I'm not too keen on closed-source browsers anymore so I doubt I'll ever seriously use the new line of Opera or Vivaldi browsers, but if someone is interested in studying software design, Opera really was on top of the game for years. Feature-rich (and they were the first to implement and polish many of them, not just copying from others) and very usable. Chrome (on any platform) is a joke compared to what Opera was.

    4. Re:Chrome non user by KGIII · · Score: 1

      Ask and ye shall receive...

      Source code for Opera's various browsers!

      Tada! It's open source but not truly open licensing - permissive licensed, to some extent. You can review, poke, and change it all you want. You may not redistribute it with their proprietary bits - if I've read the licensing agreement properly.

      --
      "So long and thanks for all the fish."
    5. Re:Chrome non user by Anonymous Coward · · Score: 0

      Cool, thanks!

    6. Re:Chrome non user by KGIII · · Score: 1

      S'not a problem. I'm not really a zealot or anything but I much prefer Opera. I've been using Opera since the days when we had to pay for it. I used Firefox for a while, when they first came out, and that was okay. Opera kind of took a nosedive when they first converted their code base to the current incarnation but it's improved and is very nice now. I spend some time on their forums and have known some of the devs for ages now.

      The cool thing is, and yes - I've run wireshark, they've stripped out any of the privacy invading stuff from Google. They have and are working on some sync features - no complaints so far but I do have some improvements for them to consider. It is pretty light and rather stable. The Linux versions now use the PPA system for updates if you want. The extension ecosystem is excellent and one can even install Chrome extensions if you want.

      There's no NoScript but there's something even better called uMatrix. uMatix is like an old school software firewall except for your browser. It's a hell of a lot better than what NoScript is - you can do much more with it. There's a small learning curve but it's not steep and it is easy enough to figure out. Give it a shot. I don't like the mobile versions as much but they'll do. I prefer Firefox if I'm stuck using Android but that will change on Monday.

      --
      "So long and thanks for all the fish."
    7. Re:Chrome non user by ne0n · · Score: 1

      You're far from alone, this "all android devices" they mention doesn't include any of mine. Now if mobile Chrome supported a decent adblocker and more search engine choices things might be different.

      --
      $ :(){ :|:& };:
    8. Re:Chrome non user by Z00L00K · · Score: 2

      I do as well, I never got attracted by Chrome, it feels wrong.

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    9. Re:Chrome non user by Wootery · · Score: 1

      The new, Chrome-like Opera is actually really good - it's my 'default' Android browser. It does text-wrapping better than any other Android browser I've tried, which is a really obvious feature, but it seems to be the only one that provides it.

    10. Re: Chrome non user by Threni · · Score: 1

      Exactly. Won't use any browser that doesn't let me block JavaScript, trackers and ads. Just not going to happen.

    11. Re:Chrome non user by TheRaven64 · · Score: 2

      Not sure why this is off-topic. I started using Firefox on the phone because it was the first Android browser to offer a sane set of cookie management options (i.e. something beyond 'allow all' or 'block all', though it was restricted to this in the first couple of Android releases for some reason). With the self-destructing cookies plugin, it actually does what I want with respect to privacy. Most importantly though, it avoids a monoculture. Android has a huge market share and the idea of a bug in one browser being able to exploit the vast majority of all mobile phones is terrifying. Unfortunately, as with IE on Windows, enough apps use the Android WebView that there's a good chance that something else will run JavaScript with V8 even if you uninstall Chrome.

      --
      I am TheRaven on Soylent News
    12. Re:Chrome non user by cfalcon · · Score: 1

      I never had a problem paying for a browser. It was a very long time before we had a good open source browser, and Opera for quite some time was way ahead of the pack on security. Firefox chased everyone down, and then Google joined the game, and that mostly pushed Opera out. But Opera's model was as good as proprietary got- a thing that I bought has a much greater chance of doing what I want than something that Microsoft was desperately trying to "monetize".

    13. Re:Chrome non user by KGIII · · Score: 1

      I don't remember the payment process but I think, I'm not sure, that they had a sale at one point where you could buy a lifetime license for $20. I bought like five of them if I recall correctly. (I might have shared one or two with friends/family. We were evil like that, back in the day.)

      I think that one of my favorite features was 'fit to width.' I still seek out scripts and extensions that enable me to do so for a variety of sites. Hmm... One sec...
      http://i.imgur.com/xPZrOQF.png

      That's Slashdot, wide and dark. The 'fit to width' feature was awesome!

      Anyhow, if you're still using Opera then, by all means, try uMatrix.

      --
      "So long and thanks for all the fish."
    14. Re: Chrome non user by GTRacer · · Score: 1

      Does this apply to Chrome on desktop? I use it, and (mu)Matrix to block a majority of scripts and the common ad networks.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    15. Re:Chrome non user by movdqa · · Score: 1

      Me too. At least it gets updated even if Android doesn't (three of our Android devices are off official support).

  4. Sad by Anonymous Coward · · Score: 0

    We need better languages. We get idiots that say "this won't happen if you use C/C++ right."

    libpng has another buffer overflow too.

    1. Re:Sad by cnettel · · Score: 2, Insightful

      If you use C/C++ right, you do not end up writing a JIT compiler for a language never intended for it. This is a bug in v8. Now, we don't know where, but that's the kind of code that does things no one sane should ever do. It is supposed to take shortcuts and patch things on the fly. It's of course fully possible that this exploit is not in a performance-critical path, and then your comment is rather well placed. But I do think that anyone writing C/C++ in this context is a fool himself. It is for all practical purposes impossible to use C without doing bare pointer addressing. It is highly possible to use C++ without doing it, even though such use is not terribly widespread.

    2. Re:Sad by Anonymous Coward · · Score: 1

      Better languages would be good, but to me it looks like we need better OSs. Since when should a compromised (or intentionally harmful) application be able to install another application? Sure, if the application specifically has permission to do that (Ex: its an app store or installer) and gets user permission, then it should be able to install an application.

      Isn't dealing with this kind of problem (running multiple applications without them from compromising all your stuff) the main purpose of an operating system?

      In short: the OS failed to give chrome enough privilege separation tools (or easy enough ones to use) to correctly separate the risky complex jit code from itself. It also failed to prevent chrome from doing horrible things like randomly installing apps. it also failed to protect users from random apps (honestly on a secure system having some random app installed should not be a real risk!). Oh, there is also the bug in V8 that the story is about, but that's not important.

    3. Re:Sad by Anonymous Coward · · Score: 0

      What, like Rust? For a language that supposedly makes it easy to write "safe" code, Rust's one and only implementation, which itself is written in Rust, is chock full of thousands of open bugs!

      If the people who know Rust the best, its creators, apparently can't write non-buggy Rust code, what the hell makes you think that average programmers will be any better off using it?!

      If we all moved to Rust, all we'd end up doing is using a language that has only one bug-riddled implementation, a pretty dismal syntax, impractical semantics, and just a whole lot of hype surrounding it.

      Moving to Rust is perhaps one of the worst things we could do. We're better off porting our existing C and C++ code, much of which actually is quite well tested, to C++14 and adopting the modern C++ techniques which eliminate many past problems with C and C++.

    4. Re:Sad by Anonymous Coward · · Score: 0

      Chrome has ~55k open issues. GCC seems to have >10k open issues (I can't determine how to get a total). Rust's 2.2k looks pretty small in comparison, but none of those numbers really much.

      Most of those "issues" in rust (all but 13) are not crashes. Only 9 are soundness issues. Many of the others are perf, feature requests and documentation. Some are also issues in external C and C++ libraries they depend on (and thus not Rust code).

    5. Re:Sad by x0ra · · Score: 1

      So Rust code ends up depending on c / c++ code ? This kinda defeat the purpose...

    6. Re: Sad by jhoger · · Score: 2

      Bare pointers! Is there another kind?

    7. Re:Sad by Anonymous Coward · · Score: 1

      Chrome is a much bigger project than Rust is, in terms of scope and code size. I mean, a programming language implementation (JavaScript) is just a small part of Chrome! Of course Chrome will have more bugs; there's far more to Chrome than there is to Rust!

      The same goes for GCC. It isn't just a single programming language implementation like Rust is. It includes front ends for C, C++, Objective-C, Objective-C++, Fortran, Ada, Java, and other languages. Besides, GCC also includes a lot of compiler back end functionality that Rust just uses LLVM for. Of course GCC will have more bugs than Rust; there's far more to GCC than there is to Rust!

      There are two big problems here.

      The first is that one of the selling points of Rust is that it's supposed to avoid bugs. Yet the biggest Rust code base out there is fucking riddled with bugs!

      The second problem is that Rust is comparatively tiny, yet it's full of so many bugs for something so small.

      These problems should make any sensible programmer question all of the claims made about Rust being so safe and secure. The evidence shows that it does not prevent bugs.

      Instead of pointing to other projects that are absolutely massive compared to Rust and crying about "THeY haVE bUgz TOOO!!!#!#@!", you should instead look at Rust and reevaluate your opinion about it.

    8. Re:Sad by Anonymous Coward · · Score: 0

      Exactly. For all the yelling the Rust weenies do about how awful C and C++ are, they sure do depend on them a lot!

    9. Re: Sad by Kjella · · Score: 1

      Using a string class instead of a char* array? Using signals/slots message passing rather than calling otherobject* -> function()? "Bare pointers" means "fiddling directly with memory addresses".

      --
      Live today, because you never know what tomorrow brings
    10. Re: Sad by Anonymous Coward · · Score: 0

      Well, the entire STL library was written to avoid having to manage dynamic memory manually.

      Also, std::unique_ptr, std::shared_ptr, std::weak_ptr, and boost::scoped_ptr (and std::auto_ptr too, I guess) are all non-raw pointers.

      I think you

    11. Re: Sad by Anonymous Coward · · Score: 0

      > I think you

      You wilcome! :)

  5. No Worries Here by Anonymous Coward · · Score: 0

    The only V8 in my system is the V-Fusion Strawberry Banana blend.

  6. Firefox though? by Anonymous Coward · · Score: 2, Insightful

    But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?

  7. What Android user doesn't? by Anonymous Coward · · Score: 2, Insightful

    Most of them.

    1. Re: What Android user doesn't? by Anonymous Coward · · Score: 0

      You must be in a echo chamber. The vast majority of android users aren't geeks and wont even care what their default browser is.

    2. Re:What Android user doesn't? by Anonymous Coward · · Score: 0

      Yeah, the browser market share stats totally back up what you're saying.

      16.74% of all browser users use Chrome for Android.

      It's clearly outweighed by the whopping 0.05% of all browser users who use Firefox for Android.

    3. Re:What Android user doesn't? by TheRaven64 · · Score: 1

      I'm slightly surprised at that, as last time I looked a lot of Android users were still on 2.x, which ships with Android Browser, not Chrome. I'm finding it very hard to read that graph as it doesn't provide totals for all versions of each browser, but it looks as if Android Browser still has around 5%, UC for Android (which I'd never heard of) has over 7%, so Chrome at 16% only has a bit more than 50% of the Android market share.

      --
      I am TheRaven on Soylent News
    4. Re: What Android user doesn't? by Anonymous Coward · · Score: 0

      That is not what I meant.

      What I meant is -- and figures bear this out -- the average Android user barely ever uses their web browser at all. They are not 'heavy' Chrome users because they aren't using the browser.

      iPhone users -- they use their browsers.

      Android users? Facebook, whatsapp.

    5. Re:What Android user doesn't? by shellbeach · · Score: 1

      I'm slightly surprised at that, as last time I looked a lot of Android users were still on 2.x, which ships with Android Browser, not Chrome.

      I suspect you haven't looked for a little while. Google's dashboards suggest that only 4% of users are still on 2.x (poor things!):

      http://developer.android.com/a...

      You also probably need to combine the counts of "Chrome for Android" and "Chrome" in those stats the parent posted to get the total chrome market share for Android.

  8. and what Android user doesn't? by Anonymous Coward · · Score: 1

    Me. Chrome can get fucked.

    Firefox all day all night until they go dark side. If they do... Orbot or a full Linux install on the phone with a bazillion options if I really have to use a phone to do major web surfing. Not a concern.

    Linux Deploy / Play Store.

    https://www.youtube.com/watch?v=nBB2bPwKWVg

    1. Re:and what Android user doesn't? by Anonymous Coward · · Score: 0

      Is Opera Mobile vulnerable to this attack? The new versions use the same WebKit engine as Chrome.

    2. Re:and what Android user doesn't? by Anonymous Coward · · Score: 0

      If it's not, it's possible it is vulnerable to something else. Firefox with NoScript disables all javascript unless you explicitly allow a website to run it's scripts.

      ^somewhere in those two sentences is the solution.

      https://addons.mozilla.org/en-US/mobile/addon/noscript/

  9. Firefox by mattcoz · · Score: 2

    Good thing I use Firefox instead of Chrome.

    1. Re:Firefox by x0ra · · Score: 2

      ahem... https://blog.mozilla.org/secur...

    2. Re:Firefox by Anonymous Coward · · Score: 0

      And the point is? That issue was fixed ages ago.

    3. Re:Firefox by Anonymous Coward · · Score: 0

      the point is your initial point has no point!

    4. Re:Firefox by dotancohen · · Score: 2

      Good thing I use Firefox instead of Chrome.

      Good thing I use Windows Phone instead of Android.

      --
      It is dangerous to be right when the government is wrong.
    5. Re:Firefox by Anonymous Coward · · Score: 0

      Good thing I use Crelm toothpaste!

  10. Dolphin by dwywit · · Score: 1

    But not the latest version. Feature bloat.

    Also, I disabled Chrome.

    --
    They sentenced me to twenty years of boredom
    1. Re:Dolphin by Anonymous Coward · · Score: 0

      Dolphin

      I just tried a URL and it gave me an error message about not supporting web pages, but then why should a file manager?

    2. Re:Dolphin by shellbeach · · Score: 1

      Also, I disabled Chrome.

      Uh, yes, but it doesn't work that way. I'm pretty sure that Dolphin uses webview to display webpages on android (I think almost every browser except Firefox and Opera do -- most 3rd party browsers just write a simple GUI wrapper for webview) ... and all versions of Android starting from KitKat include the v8 javascript engine as part of webview:

      https://developer.chrome.com/m...

      More concerningly, if you're using KitKat, webview won't be updated without a system update (it got moved to an APK in lollipop). So that exploit is probably good forever ... :( (For lollipop and above I'd assume that the exploit will get fixed in webview the same time as it gets fixed in chrome.)

  11. Sometimes I get the feeling... by Anonymous Coward · · Score: 0, Flamebait

    That the only people that create these exploits are muslims, in an effort to terrorize us. It wouldn't be the first time they did something awful in order to hurt innocent people.

    Perhaps in order to protect ourselves, we should wall them off, and prevent them from accessing the internet. And burn down all of their libraries and books.

    Maybe we should also sterilize them.

    And when we are done with the muslims, we should go after the next biggest threat to Western Civilization: The Cisgendered Male Heterosexual.

  12. And probably affects MongoDB too... by greenwow · · Score: 0

    since version 3.x switched to V8 from SpiderMonkey.

    1. Re: And probably affects MongoDB too... by Anonymous Coward · · Score: 0

      Looks like the moderators don't care abt MongoDB.

  13. Not all... by x_t0ken_407 · · Score: 1

    "If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)"

    Uh, this one. Guess I'm lucky I'm an avid Opera fan, heh.

    1. Re:Not all... by Anonymous Coward · · Score: 0

      you didn't get the memo did you?

      opera quit presto, it uses chrome.

      opera mini, according to wiki is the only one still using presto.
      i'm not sure what the new mini uses.

    2. Re:Not all... by Anonymous Coward · · Score: 0

      to follow up with that, if opera uses v8 in everything except mini - you can still expect an exploit for v8 to remain binary incompatible with opera i would assume - but that's not a garantee.

  14. Slashdot editors, get your shit together. by Severus+Snape · · Score: 1

    First off, a repost and now a little analysis of the title. ..JavaScript Exploit Leaves All Android Devices [not all devices have chrome and even then not everyone uses chrome] Ripe For Attack [wrong, exploit is undisclosed and being patched].

  15. Hooray monoculture! by Anonymous Coward · · Score: 1

    Lucky almost every new piece of desktop software across the world is built to run on one of about three browser platforms, and we've got rid of those pesky "extensions" that provided users with implementation alternatives, eh? Only through this level of homogeneity can users achieve safety and not all be exploited at once!

    thankfully, he hasn't publicly revealed detailed specifics on its inner workings

    Thankfully for your sense of security, he hasn't. Bugs like this are so valuable that many people will treat you far better than the "public" for revealing it, surely?

  16. Deja Vu by viperidaenz · · Score: 1

    Didn't I read about this on Friday?

    1. Re:Deja Vu by bongey · · Score: 1

      This is slashdot, you know you didn't actually read the story.

  17. Since you asked... by REggert · · Score: 1

    I'm an Android user that does not use Chrome. I use Opera.

    --

    cp /dev/zero ~/signature.txt

    1. Re:Since you asked... by perlancar · · Score: 1

      Me too. It's much faster and I can open 50+ tabs without problem (well, sometimes, but better than Chrome).

  18. in other words, no fix by frovingslosh · · Score: 3, Informative

    Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.

    Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.

    --
    I'm an American. I love this country and the freedoms that we used to have.
    1. Re: in other words, no fix by Anonymous Coward · · Score: 0

      Chrome is in the Play Store so it will get out just fine.

    2. Re: in other words, no fix by MadMaverick9 · · Score: 1

      But not everybody uses "Play" store. Some people use F-Droid for their apk needs.

    3. Re: in other words, no fix by Anonymous Coward · · Score: 0

      Can't use play store without getting goggle-raped. Read the tos and see if you want to bend over.

    4. Re: in other words, no fix by Anonymous Coward · · Score: 0

      I come to Slashdot for my apk needs. He never fails to spew spam and psychobabble across the site.

    5. Re:in other words, no fix by cant_get_a_good_nick · · Score: 2

      OS updates never get pushed. They require effort from both phone manufacturers and carriers, both who have motivation to not bother and encourage new phone purchases.

      Google apps get updated.
      Google Play Services get updated.

      In short, the things that Google can control (their apps, Google play services) actually gets updated. Chrome is an app

    6. Re:in other words, no fix by Anonymous Coward · · Score: 0

      But it the V8 in Chrome part of Chrome or on Android is it considered a system library ? libv8.so ?

  19. I don't use chrome.. by Anonymous Coward · · Score: 0

    Why would I, it's a piece of garbage.
    Dolphin browser is superior in every way.

  20. Last time I used chrome on android... by doug141 · · Score: 1

    it shoved an ad on top of a web page i was trying to read. The ad programmer had some fun with it, it would move around when I tried to scroll, and the dismiss box did not do exactly what I wanted. So I took a few minutes to install firefox and adblock. Then I removed the chrome icon from the special real estate on the home screen and replaced it with firefox, and set firefox to default. Goodbye ads!

  21. Um... by Type44Q · · Score: 1

    and what Android user doesn't

    I run four 3rd-party apps on my CM12.1-equipped S5 (including Waze and Square Register) and a fucking web browser isn't one of them.

  22. Not my Android Devices by Anonymous Coward · · Score: 0

    There is little risk to my Android devices. It isn't hard to disable Chrome in Android, and the app market is big enough that you can disable almost every Google thing about Android except the os itself and still get by. That is one of Android's best strengths.

  23. Android security is awful by Anonymous Coward · · Score: 0

    W E W L A D
    E
    W
    L
    A
    D

    You cucks still use Android and claim to be systems geeks?

  24. Speak for yourself. by MadMaverick9 · · Score: 1

    heavy use of Google's Chrome web browser (and what Android user doesn't?)

    I have had my Samsung tablet for 2+ years now and I have never used Google's Chrome web browser.

    I use Firefox 35.0.1 with Javascript disabled. Works fine.

    But then I don't use Google Play Store either. I use F-Droid.

    Just the name already - "Play" store. Sounds like something for kids.

  25. big assumption by Anonymous Coward · · Score: 0

    > (and what Android user doesn't?)

    Me. Opera Mini with Turbo mode all day erryday

  26. Sad: fat stupid bovine America:a once great nation by Anonymous Coward · · Score: 0

    It also failed to prevent chrome from doing horrible things like randomly installing apps. it also failed to protect users from random apps (honestly on a secure system having some random app installed should not be a real risk!).

    Yes but the majority of Americans - morbidly obese stupid drooling luser cunts who can't RTFM even if it's written in 3rd-grade English - would complain that a truly secure OS would interefere with running random files named CuteCatVideos.exe that the nice unsolicited e-mail sent to them. In fact they will get upset with you if you try to point out that video files don't have an .exe extension. They will complain about that, just as soon as they lick the Cheetos crumbs off of their keyboards. Then they will grab and lift up their mass of belly fat, slide the keyboard tray outwards towards their fat bloated waists, release the fat so that it rests comfortably on the wrist-rest portion of their keyboards, and whine about how everything is too hard because some hell-bound cunt in Marketing sold them on the false idea of effortless everything with no thinking or learning ever required. Then they will go to some other forum and write posts about how they're just unfortunately "big boned" and their shitty diet full of empty-calorie foods and total lack of voluntary exercise has nothing to do with anything, and is in fact a complete and totally unrelated coincidence. Satisfied that nothing is ever actually their own fault or the direct result of their own decision-making, they will double-click on CuteCatVideos.exe and rapidly click through the UAC and anti-virus program dialogs, making sure never to actually read them, feeling annoyed that the video hasn't yet loaded already.

    If you want real security, don't run an OS designed for the dumb masses. Run heavily customized Linux or run OpenBSD or something other than Windows. If you are not among the dumb masses then you will be able to learn how to use it, once, and thereafter you will enjoy a stable, secure, efficient system. Fat stupid emotionally childish American lardasses are unwilling to actually invest any effort into their own experience no matter how much sense it makes. What they want is a dumbed-down appliance to suit their dumbed-down tastes and their overly simplistic wants (that they call "needs"). Anything more sophisticated than that would require rubbing two brain cells together and seeing that Similar Concept A is closely related to Similar Concept B, which is too much to expect of the driving voting general public.

  27. Bigger than Chrome by Anonymous Coward · · Score: 0

    From the scant details I would guess that this affects more than just users of the Chrome for Android browser. The exploit is in v8 (or at least in how Chrome uses v8), which is in both Chromium and Chrome. Since Android 4.4, WebView is based on the same code as Chrome for Android. So I would think any Chromium-based browser for Android or any apps using WebView would be vulnerable.

    Of course, not a lot of information was given so who knows. I have an e-reader and it feels great knowing it's not connected to the internet so I'm not being spied on, tracked, and that no one can remotely hack and break my device (or delete books or otherwise mess with my experience). I actually feel more free and at ease using it. Sigh.

  28. Chrome? by Anonymous Coward · · Score: 0

    If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)

    All the Android users who installed Firefox and/or Opera on their phones don't. I only have Chrome on my Android devices for testing. I found it far too slow on my Nexus 7 to be usable and I still prefer Firefox on my daily driver phone to anything else.

    This sure seems like a wild assumption that Chrome is used on all Android devices.

  29. use sleipnir by Anonymous Coward · · Score: 0

    http://www.fenrir-inc.com/us/android/apps/sleipnir-mobile.html

  30. I use Opera 12.17 64-bit - not UMatrix by Anonymous Coward · · Score: 0

    See subject & I use hosts: They're not clarityray detectable/blockable like browser addons + hosts use a FRACTION of the memory, cpu, messagepassing overheads of slower usermode browser addons also.

    ---

    MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    FREE & not 'souled-out' to advertisers + adds speed, security & reliability & does FAR more w/ FAR less more efficiently vs. redundant browser addons & locally installed DNS servers @ home + fixes DNS' many security issues & it stops a LOT of tracking @ webpage + DNS levels combined too from 1 file you already NATIVELY have - firewalls do the rest (on lesser used IP address based tracking vs. host-domain name type).

    ---

    It obtains data vs. online threats & for adbanner blocking from 10 reputable sites in the security community!

    ---

    It SPEEDS YOU UP 2 ways (adblocking + locally cached in RAM favorites placed @ the TOP of hosts for fastest resolution speed vs. remote DNS also aiding reliability) vs. other "so-called security 'solutions'" SLOWING YOU!

    ---

    It does all that via something you natively have vs. "bolting on browser addons 'MOAR'"!

    ---

    It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    In its 32-bit model too https://www.virustotal.com/en/...

    So is its installer -> http://f.virscan.org/APKHostsF...

    ---

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> Accept NO substitutes!

    ...apk

  31. Firefox by paolo.redaelli · · Score: 1

    Who don't use Chrome? Me for example and all those who use Firefox because Chrome is proprietary and even in its free-as-in-freedom Base Chromium could spy you recording voices.

  32. Who doesn't? by Anonymous Coward · · Score: 0

    If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)

    I don't, and I'd guess a significant portion of users also don't. Why would you ever want to use a generic browser on a phone that constantly fails to properly format things so their readable and/or easy to interact with? There's a good reason things like Tapatalk exist.

  33. _complete_ control of the phone ? by Anonymous Coward · · Score: 0

    I game was installed to "demonstrate _complete_ control of the phone"

    So the game has full application permissions to everything ? It can make and receive calls/SMS and record ?