Slashdot Mirror
Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com)
MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
http://slashdot.org/story/15/1...
Silence is a state of mime.
node and chrome have nothing to do with each other besides sharing the JS engine.
Have you heard about SoylentNews?
But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?
Most of them.
If you use C/C++ right, you do not end up writing a JIT compiler for a language never intended for it. This is a bug in v8. Now, we don't know where, but that's the kind of code that does things no one sane should ever do. It is supposed to take shortcuts and patch things on the fly. It's of course fully possible that this exploit is not in a performance-critical path, and then your comment is rather well placed. But I do think that anyone writing C/C++ in this context is a fool himself. It is for all practical purposes impossible to use C without doing bare pointer addressing. It is highly possible to use C++ without doing it, even though such use is not terribly widespread.
node and chrome have nothing to do with each other besides sharing the JS engine.
node.js uses a JavaScript engine, as it's written in JavaScript. Chrome is a browser that has a JavaScript engine. So they share even less than that.
So the question is "does running node.js on V8 render it vulnerable?"
Me. Chrome can get fucked.
Firefox all day all night until they go dark side. If they do... Orbot or a full Linux install on the phone with a bazillion options if I really have to use a phone to do major web surfing. Not a concern.
Linux Deploy / Play Store.
https://www.youtube.com/watch?v=nBB2bPwKWVg
Good thing I use Firefox instead of Chrome.
Better languages would be good, but to me it looks like we need better OSs. Since when should a compromised (or intentionally harmful) application be able to install another application? Sure, if the application specifically has permission to do that (Ex: its an app store or installer) and gets user permission, then it should be able to install an application.
Isn't dealing with this kind of problem (running multiple applications without them from compromising all your stuff) the main purpose of an operating system?
In short: the OS failed to give chrome enough privilege separation tools (or easy enough ones to use) to correctly separate the risky complex jit code from itself. It also failed to prevent chrome from doing horrible things like randomly installing apps. it also failed to protect users from random apps (honestly on a secure system having some random app installed should not be a real risk!). Oh, there is also the bug in V8 that the story is about, but that's not important.
But not the latest version. Feature bloat.
Also, I disabled Chrome.
They sentenced me to twenty years of boredom
"If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)"
Uh, this one. Guess I'm lucky I'm an avid Opera fan, heh.
First off, a repost and now a little analysis of the title. ..JavaScript Exploit Leaves All Android Devices [not all devices have chrome and even then not everyone uses chrome] Ripe For Attack [wrong, exploit is undisclosed and being patched].
Lucky almost every new piece of desktop software across the world is built to run on one of about three browser platforms, and we've got rid of those pesky "extensions" that provided users with implementation alternatives, eh? Only through this level of homogeneity can users achieve safety and not all be exploited at once!
thankfully, he hasn't publicly revealed detailed specifics on its inner workings
Thankfully for your sense of security, he hasn't. Bugs like this are so valuable that many people will treat you far better than the "public" for revealing it, surely?
Didn't I read about this on Friday?
I'm an Android user that does not use Chrome. I use Opera.
cp /dev/zero ~/signature.txt
Node's JS engine *is* V8.
Node's JS engine *is* V8.
Meaning "node.js requires some C++ bindings and there are only versions of those bindings for V8" (or "can only be versions of those bindings for V8", as they're dependent on the way V8 works)? (I.e., better phrased as "the only JS engine on which node.js can run is V8".)
Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.
I'm an American. I love this country and the freedoms that we used to have.
All the js code runs (as in compiled / optimized / executed) on V8. Some portion of node are written in C++ (generally the OS interface), though as the JS -> C++ transition is expensive, node implement most of its API in Javascript. To this extend, Node is merely a wrapper around V8.
So Rust code ends up depending on c / c++ code ? This kinda defeat the purpose...
it shoved an ad on top of a web page i was trying to read. The ad programmer had some fun with it, it would move around when I tried to scroll, and the dismiss box did not do exactly what I wanted. So I took a few minutes to install firefox and adblock. Then I removed the chrome icon from the special real estate on the home screen and replaced it with firefox, and set firefox to default. Goodbye ads!
Bare pointers! Is there another kind?
and what Android user doesn't
I run four 3rd-party apps on my CM12.1-equipped S5 (including Waze and Square Register) and a fucking web browser isn't one of them.
I use Firefox on my phone.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
So the project is named after the one and only JavaScript file in the project? And its relationship to JavaScript is similar to the relationship between a program with an embedded Lua interpreter and Lua?
Chrome is a much bigger project than Rust is, in terms of scope and code size. I mean, a programming language implementation (JavaScript) is just a small part of Chrome! Of course Chrome will have more bugs; there's far more to Chrome than there is to Rust!
The same goes for GCC. It isn't just a single programming language implementation like Rust is. It includes front ends for C, C++, Objective-C, Objective-C++, Fortran, Ada, Java, and other languages. Besides, GCC also includes a lot of compiler back end functionality that Rust just uses LLVM for. Of course GCC will have more bugs than Rust; there's far more to GCC than there is to Rust!
There are two big problems here.
The first is that one of the selling points of Rust is that it's supposed to avoid bugs. Yet the biggest Rust code base out there is fucking riddled with bugs!
The second problem is that Rust is comparatively tiny, yet it's full of so many bugs for something so small.
These problems should make any sensible programmer question all of the claims made about Rust being so safe and secure. The evidence shows that it does not prevent bugs.
Instead of pointing to other projects that are absolutely massive compared to Rust and crying about "THeY haVE bUgz TOOO!!!#!#@!", you should instead look at Rust and reevaluate your opinion about it.
heavy use of Google's Chrome web browser (and what Android user doesn't?)
I have had my Samsung tablet for 2+ years now and I have never used Google's Chrome web browser.
I use Firefox 35.0.1 with Javascript disabled. Works fine.
But then I don't use Google Play Store either. I use F-Droid.
Just the name already - "Play" store. Sounds like something for kids.
I fail to see your comment relevance ? Many comments in this thread fail to realize that V8 is the foundation of node...
.*and* in javascript... https://github.com/nodejs/node...
Ask and ye shall receive...
Source code for Opera's various browsers!
Tada! It's open source but not truly open licensing - permissive licensed, to some extent. You can review, poke, and change it all you want. You may not redistribute it with their proprietary bits - if I've read the licensing agreement properly.
"So long and thanks for all the fish."
S'not a problem. I'm not really a zealot or anything but I much prefer Opera. I've been using Opera since the days when we had to pay for it. I used Firefox for a while, when they first came out, and that was okay. Opera kind of took a nosedive when they first converted their code base to the current incarnation but it's improved and is very nice now. I spend some time on their forums and have known some of the devs for ages now.
The cool thing is, and yes - I've run wireshark, they've stripped out any of the privacy invading stuff from Google. They have and are working on some sync features - no complaints so far but I do have some improvements for them to consider. It is pretty light and rather stable. The Linux versions now use the PPA system for updates if you want. The extension ecosystem is excellent and one can even install Chrome extensions if you want.
There's no NoScript but there's something even better called uMatrix. uMatix is like an old school software firewall except for your browser. It's a hell of a lot better than what NoScript is - you can do much more with it. There's a small learning curve but it's not steep and it is easy enough to figure out. Give it a shot. I don't like the mobile versions as much but they'll do. I prefer Firefox if I'm stuck using Android but that will change on Monday.
"So long and thanks for all the fish."
You're far from alone, this "all android devices" they mention doesn't include any of mine. Now if mobile Chrome supported a decent adblocker and more search engine choices things might be different.
$
I do as well, I never got attracted by Chrome, it feels wrong.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Using a string class instead of a char* array? Using signals/slots message passing rather than calling otherobject* -> function()? "Bare pointers" means "fiddling directly with memory addresses".
Live today, because you never know what tomorrow brings
Do we know if this affects node?
You have to feed your node server a polluted pile of js and that
requires the site to be compromised. So yes but....
For some reason Google just upgraded Chrome.....
I wonder if it is related...
Always load two browsers on your device and save one for the days when
the other is "ill". You got to be on Edge to understand this...
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
The new, Chrome-like Opera is actually really good - it's my 'default' Android browser. It does text-wrapping better than any other Android browser I've tried, which is a really obvious feature, but it seems to be the only one that provides it.
Exactly. Won't use any browser that doesn't let me block JavaScript, trackers and ads. Just not going to happen.
Not sure why this is off-topic. I started using Firefox on the phone because it was the first Android browser to offer a sane set of cookie management options (i.e. something beyond 'allow all' or 'block all', though it was restricted to this in the first couple of Android releases for some reason). With the self-destructing cookies plugin, it actually does what I want with respect to privacy. Most importantly though, it avoids a monoculture. Android has a huge market share and the idea of a bug in one browser being able to exploit the vast majority of all mobile phones is terrifying. Unfortunately, as with IE on Windows, enough apps use the Android WebView that there's a good chance that something else will run JavaScript with V8 even if you uninstall Chrome.
I am TheRaven on Soylent News
I never had a problem paying for a browser. It was a very long time before we had a good open source browser, and Opera for quite some time was way ahead of the pack on security. Firefox chased everyone down, and then Google joined the game, and that mostly pushed Opera out. But Opera's model was as good as proprietary got- a thing that I bought has a much greater chance of doing what I want than something that Microsoft was desperately trying to "monetize".
I don't remember the payment process but I think, I'm not sure, that they had a sale at one point where you could buy a lifetime license for $20. I bought like five of them if I recall correctly. (I might have shared one or two with friends/family. We were evil like that, back in the day.)
I think that one of my favorite features was 'fit to width.' I still seek out scripts and extensions that enable me to do so for a variety of sites. Hmm... One sec...
http://i.imgur.com/xPZrOQF.png
That's Slashdot, wide and dark. The 'fit to width' feature was awesome!
Anyhow, if you're still using Opera then, by all means, try uMatrix.
"So long and thanks for all the fish."
Who don't use Chrome? Me for example and all those who use Firefox because Chrome is proprietary and even in its free-as-in-freedom Base Chromium could spy you recording voices.
Does this apply to Chrome on desktop? I use it, and (mu)Matrix to block a majority of scripts and the common ad networks.
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Me too. At least it gets updated even if Android doesn't (three of our Android devices are off official support).