Slashdot Mirror
Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com)
MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
http://slashdot.org/story/15/1...
Silence is a state of mime.
But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?
Most of them.
If you use C/C++ right, you do not end up writing a JIT compiler for a language never intended for it. This is a bug in v8. Now, we don't know where, but that's the kind of code that does things no one sane should ever do. It is supposed to take shortcuts and patch things on the fly. It's of course fully possible that this exploit is not in a performance-critical path, and then your comment is rather well placed. But I do think that anyone writing C/C++ in this context is a fool himself. It is for all practical purposes impossible to use C without doing bare pointer addressing. It is highly possible to use C++ without doing it, even though such use is not terribly widespread.
node and chrome have nothing to do with each other besides sharing the JS engine.
node.js uses a JavaScript engine, as it's written in JavaScript. Chrome is a browser that has a JavaScript engine. So they share even less than that.
So the question is "does running node.js on V8 render it vulnerable?"
Good thing I use Firefox instead of Chrome.
Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.
I'm an American. I love this country and the freedoms that we used to have.
Bare pointers! Is there another kind?
I use Firefox on my phone.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
I do as well, I never got attracted by Chrome, it feels wrong.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Not sure why this is off-topic. I started using Firefox on the phone because it was the first Android browser to offer a sane set of cookie management options (i.e. something beyond 'allow all' or 'block all', though it was restricted to this in the first couple of Android releases for some reason). With the self-destructing cookies plugin, it actually does what I want with respect to privacy. Most importantly though, it avoids a monoculture. Android has a huge market share and the idea of a bug in one browser being able to exploit the vast majority of all mobile phones is terrifying. Unfortunately, as with IE on Windows, enough apps use the Android WebView that there's a good chance that something else will run JavaScript with V8 even if you uninstall Chrome.
I am TheRaven on Soylent News