Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day (zdnet.com)

Posted by msmash on from the it's-complicated dept.

Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.

56 comments

  1. Browser, everything and the kitchen sink by Anonymous Coward · · Score: 0

    Chrome is an incredibly complex browser with a lot of moving parts. I expect more and more serious vulnerabilities. I'm a little scared that it has been opening more and more interfaces to the underlying OS. There are a lot of settings that I turn off on a regular basis now, while I used to feel that Chrome was pretty secure out-of-the-box.

    1. Re:Browser, everything and the kitchen sink by jellomizer · · Score: 1

      1990's Internet Explorer, A small light weight browser (Compared to the giant of Netscape Communicator) that supports the standards and renders quickly.
      2000's Firefox, A small light weight browser (Compared to Internet Explorer) that is secure, supports the standards and renders quickly.
      2010's Chrome, A small light weight browser (Compared to Firefox) that is secure,supports the standards and renders quickly.

      It seems that the people want a Secure, Small Light weight browser, that supports the standards and renders information quickly. However it seems once they get popular the companies/organizations keep on adding "Would be Nice" features to it until it is a bloated mess with security problems. Then is open to be replaced by something else.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Browser, everything and the kitchen sink by Anonymous Coward · · Score: 0

      Not many people know, but most modern-day zero-day bugs are designed in (as part of a NSA request).
      An attack vector is routed out, then the code is built around that attack vector. The NSA uses it for as
      long as they're able, until some shill security company "notices" it and the company reluctantly fixes it.
      Look how long some of these exploits are available (iApple is a big offender of sitting on not fixing the
      ones that are discovered) - and how they're so much like the "last exploit." Ever wonder why Windows 7
      was so robust and yet had to be replaced w/Vista/8/8.1/10? Cause regressions would be noticed.
      Ahh... But a new "version" and oops! Where'd that bug come from -- we're sorry, honest. Pretty easy
      pattern to spot...

      CAP === 'silences' <== ! will not be silenced!

    3. Re:Browser, everything and the kitchen sink by xonen · · Score: 4, Informative

      Firefox was never about being small and light weight, it was about being able to render websites faster and in a standard compliant way.

      I hate to correct you, cause on other points you are right, but no.
      Firefox came as spin-off from the Mozilla suite. Mozilla targeted compliant browsing.

      Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.

      From there it went it's own way exactly as parent poster described.

      --
      A glitch a day keeps the bugs away.
    4. Re:Browser, everything and the kitchen sink by Killall+-9+Bash · · Score: 1

      Ever wonder why Windows 7 was so robust and yet had to be replaced w/Vista/8/8.1/10? Cause regressions would be noticed.

      No one noticed when SP3 turned XP to shit, so why do you think they would have noticed if a hypothetical SP2 turned 7 to shit?

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    5. Re: Browser, everything and the kitchen sink by Anonymous Coward · · Score: 1

      Because he's a nutbag

    6. Re:Browser, everything and the kitchen sink by swillden · · Score: 1

      Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.

      Kind of. Firefox was intended to be much lighter than the Mozilla Suite, true, but remember that the Mozilla Suite was a single application that included NNTP and email clients, a WYSIWYG HTML editor/web site construction tool, an IRC client and more. Oh, and a web browser. Firefox was intended to be lighter not because it was supposed to be some sort of uber-minimal browser, but because it was intended to be only a browser, and not all of those other things. True, it didn't support plugins, but that was less to make it lightweight and more because you can only do so much at once.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    7. Re:Browser, everything and the kitchen sink by drinkypoo · · Score: 1

      The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality. But people gave them too many donations so they spent millions of dollars buying pocket and then building it right into the browser instead of making it an add-on. In principle, Firefox makes Mozilla deserving of donations. In practice, if you give them money, they spend it fucking up the browser.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Browser, everything and the kitchen sink by Anonymous Coward · · Score: 0

      Many of us use our computers to do more than one thing at a time. I don't need something as trivial as a web browser to be hoarding resources.

      But good for you that you only need a computer to browse the web and use Facebook.

    9. Re:Browser, everything and the kitchen sink by swillden · · Score: 1

      The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality.

      Not initially.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    10. Re:Browser, everything and the kitchen sink by Waccoon · · Score: 1

      That was back when it was called Phoenix (which I made my default browser back in the day). Phoenix started losing the plot shortly after the re-branding to Firefox, and Firefox 2.0 was when things really started going downhill.

    11. Re:Browser, everything and the kitchen sink by Anonymous Coward · · Score: 0

      The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality.

      You may say this is semantics but the first part you say is correct and the second part is wrong.

      With the Mozilla suite, that was seen by many as bloated and distracted from the original idea of being a web browser, a branch of the Mozilla web browser was created to focus on being light weight and have no bloat.

      That however was called Phoenix, sporting a logo of the phoenix firebird from myths, representing rising from the ashes of the killed-by-internet-explorer predecessor.

      Later was a trademark dispute with Phoenix known for making BIOS software, so they renamed the project Firebird.
      Naturally there was another software project already named Firebird, so it became Firefox.

      That spanned about a decade of time, and meanwhile development made a course correction and flew right back into the Mozilla foundation head on, as the official Mozilla brand dropped their entire suite of software and raised Firefox and Thunderbird as their flagship software, each dedicated to their task but remaining separate.

      This is the moment those programs and others were put back under one 'brand' as a platform.

      So yes, Firefox (a decade after it was branched) was intended by Mozilla to be their new platform.
      But no, Firefox had no other goal, it was a decade prior when Phoenix was born that the goal was to be light weight and anti-bloat, and that particular goal died along with Phoenix/Firebird.

    12. Re:Browser, everything and the kitchen sink by thegarbz · · Score: 1

      Thanks for the correction, you are of course right I completely forgot that Mozilla came in between in the popular browser development.

  2. MSMASH: you inbred Induchum by Anonymous Coward · · Score: 0

    Lol

  3. Microsoft starts dancing by Anonymous Coward · · Score: 0

    dance to the tune of someone elses search engine /ad-broker suckers, remember 100000 developers student loans/ mortgages depend on it, kind of focuses the mind to who your real masters are

  4. Maybe they could also scan to identify by bobstreo · · Score: 1

    the twitter command and control accounts of botnets/terrorists...

    Scanning for vulnerabilities is a start, but eliminating the accounts is probably a whole other kettle of fish.

    1. Re:Maybe they could also scan to identify by Anonymous Coward · · Score: 0

      I think you meant to post this here?
      https://it.slashdot.org/story/...

  5. It happened when Windows 7 is still supported by xack · · Score: 1

    If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.

    1. Re:It happened when Windows 7 is still supported by Anonymous Coward · · Score: 1

      microsoft has released out-of-band updates for so-called 'unsupported' and end-of-life versions in the past... but, microsoft should just quit squeezing more money out of windows 7 users (the upcoming penalty for not signing-on to windows 10 and it's extra revenue streams for microsoft) and just extend the support date by the three years that 'paid' updates will be available for... make it and 8.1 the same.... and then FIX the piece of shit that is windows 10 in the next three and a half years... i.e. the problems that are keeping so many away from it in the first place.. forced and broken updates, constant spying, resetting of user-set settings, constantly downloading and installing 'suggested' apps and other garbage, ui inconsistencies, etc, etc, etc.

    2. Re: It happened when Windows 7 is still supported by Anonymous Coward · · Score: 1

      Or just switch to linux mint or mac and be done with microsoft.

    3. Re: It happened when Windows 7 is still supported by Anonymous Coward · · Score: 0

      Or just switch to linux mint or mac and be done with microsoft.

      or ReactOS ...

    4. Re:It happened when Windows 7 is still supported by WillAffleckUW · · Score: 1

      Nope, Chrome works fine on our lab's Linux blades

      Why would we downgrade them to Windows 10?

      --
      -- Tigger warning: This post may contain tiggers! --
  6. Am I the only one who thinks "zero-day" sounds.... by mark-t · · Score: 1

    needlessly jargony?

    Why not say what it is in plain english... a newly discovered or previously unheard of exploit or vulnerability.

    And if it's not that, then it's not zero-day, by definition.

    --
    File under 'M' for 'Manic ranting'
  7. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    > 0-day

    vs

    > a newly discovered or previously unheard of exploit or vulnerability

    I'll take the former, thanks.

  8. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    The problem with "0-day", is, as I said, that it sounds like jargon... like a buzzword that people overuse when they want to invoke an emotional reaction to the concept rather than using regular English words to say the same thing.

    Calling it a a newly discovered exploit instead of a 0-day exploit is both more informative by virtue of being in plain English and doesn't come across as trying to push some agenda for software that detects and removes malware.

    --
    File under 'M' for 'Manic ranting'
  9. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    0-day = new, known for 0 days. All words are jargon. Your replacement does not replace the functionality of the existing phrase, and is longer and more cumbersome. So by your own definition, jargon.

    Keep thinking about these really big issues, Mark.

  10. Mission Accomplished by 93+Escort+Wagon · · Score: 1

    If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.

    I see Google has successfully managed to get some people to already forget about their own zero-day bug here. You know, the Google bug which gave attackers remote access to the Windows 7 computers in the first place.

    The Windows bug was a local privilege escalation attack. It needs to be fixed, but the Google Chrome bug was the bigger issue here.

    --
    #DeleteChrome
    1. Re:Mission Accomplished by Anonymous Coward · · Score: 0

      a local user attack = a local privilege escalation attack. Just sit dormant until the next time I download an installer, swap in the malicious code and wait for me to double click the installer and click the Allow button, and local privileges are escalated.

  11. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 2, Insightful

    You are both wrong.

    'Zero-Day' describes that the exploit was previously unknown, and that it took zero days for it to be exploited.

    Instead of "we found a bug, let's hope it gets patched before someone writes code to exploit it", zero-day describes "OMG what is this code doing!? look it's using a previously unknown bug!"

    "Newly discovered" does not adequately describe the situation.

    There is clearly etymological room for a different term, even if it does sound like a buzzword.

  12. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    0-day = new

    Exactly, so why bother with the jargon? "New" is plain english, 0-day is jargon. It obfuscates what is being talked about and sounds like its trying to grab headlines by using a fancy buzzword.

    --
    File under 'M' for 'Manic ranting'
  13. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    Who's going to go back and update the reports to 1-day, 2-day, etc.?

  14. Re: Am I the only one who thinks "zero-day" sounds by Anonymous Coward · · Score: 0

    It's not newly discovered if it was used in the wild and actively exploited

  15. A "buzzword" is "hack" or "cyber-warfare" by Anonymous Coward · · Score: 0

    You're being willfully stupid. "New" is vague. 0-day says 0 days since discovery, a metric. It's also shorter than your jargon-itself replacement. It's not a buzzword, it's an industry term since whenever.

    Sorry, you're not going to have much luck replacing common terms of usage in industries you know nothing about. Go redefine the milkman's job instead. "Milk, what does it mean? It's COW JUICE! What jargon!"

    1. Re: A "buzzword" is "hack" or "cyber-warfare" by mark-t · · Score: 1

      Obviously it's 0 days since discovery, because if it was actually discovered before that, then it's not new... it would be a "known exploit" instead of a "new exploit". And how do you figure that "0-day" is shorter than "new"?

      By itself, the expression "0-day exploit" on some software X might suggest, following simply an English definition of the words, an exploit that was discovered less than 1 day after the most recent update to software X. That's not what the term actually means, however, and it's why I think the expression is ambiguous, and quite honestly sounds like a buzzword being used by someone who is only trying to sell you something.

      --
      File under 'M' for 'Manic ranting'
  16. Anyone know how to check infection? by dackroyd · · Score: 1

    So, I've got a Window 10 box, that apparently Chrome can't update itself on, instead giving this message:

    https://twitter.com/MrDanack/s...

    Which is obviously not a good sign as blocking the security updates seems like a thing an infection would like to do.

    Anyone know of how to tell if a box is actually infected or not?

    --
    "Free software as in beer, copy protection as in racket" - Telsa Gwynne
    1. Re:Anyone know how to check infection? by Anonymous Coward · · Score: 1

      It has Windows 10, it is infected. Don't you mean how to tell if there also is a competing product on the box?

    2. Re:Anyone know how to check infection? by drinkypoo · · Score: 1

      So, I've got a Window 10 box, that apparently Chrome can't update itself on, [...]
      Anyone know of how to tell if a box is actually infected or not?

      You're running a browser that phones home to Google on a system that phones home to Microsoft. The answer is yes. Your box is actually infected with at least two trojans that you deliberately chose to have it infected with.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:Anyone know how to check infection? by Anonymous Coward · · Score: 0

      Which is obviously not a good sign as blocking the security updates seems like a thing an infection would like to do.

      Not really. When your machine gets popped, they usually start to force security upgrades to prevent anyone else from popping your machine and displacing them.

  17. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    It entirely adequately describes it.... "0-day" is just jargon for "new", which by definition means it wasn't around before. It just happens mean it was discovered on the day that the developers knew about the exploit, but if the developers actually already knew about the exploit, then it isn't really new is it?

    Worse, "0-day" can suggest to a person unfamiliar with the precise definition that the exploit was discovered less than one day after the relevant software had been most recently updated, which of course makes absolutely no sense when you are talking about software that hasn't been updated in years such as Windows 7.

    Calling it a new exploit, or previously unknown exploit, is descriptive to anyone who knows english, and does not require familiarity with some fancy term that quite honestly just sounds like an overused buzzword.

    --
    File under 'M' for 'Manic ranting'
  18. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    'Zero-Day' describes that the exploit was previously unknown, and that it took zero days for it to be exploited.

    you should meet my Zero-Day son, let's remove the "newborn" thing and use the jargon instead!

  19. Let's try this again, see if you get it now. by Anonymous Coward · · Score: 0

    Sorry, you're not going to have much luck replacing common terms of usage in industries you know nothing about. Go redefine the milkman's job instead. "Milk, what does it mean? It's COW JUICE! What jargon!"

    You're being willfully stupid. It's not a buzzword, it's an industry term since whenever. YMMV, but it changes nothing in reality. The reality is, you're suggesting the circumlocutious jargon.

    "New" is vague. "New" in the news cycle is 1-2 weeks to 1-2 months. 0-day is 0 days, specific. Stop. Being. Dumb.

    You're not changing the lexicon, but please if you feel like continuing to beat your head against a wall for no reason, make sure you tick the 'organ donor' spot on your license application.

    1. Re:Let's try this again, see if you get it now. by mark-t · · Score: 1

      "New" is plain english... "0-day" is a technical term that has a particular meaning which is not necessarily intuitively grasped from context, and as I have argued, is therefore more ambiguous.

      But my opening question has been answered... apparently it is just me.

      --
      File under 'M' for 'Manic ranting'
  20. Sorry, you still lose. by Anonymous Coward · · Score: 0

    "New" does not denote a number of days and is thus useless and vague. 0-day is a technical term to describe a technical concept. Yes. Don't like it? Too fucking bad, it's been there forever.

    Just because you can't learn words that accurately describe things and prefer "Extracted and cooked Cow Juice" to "Milk" doesn't mean anyone else is similarly as dumb or pedantic about using only basic idiot-level words to describe basic concepts as you are.

    Nothing is changing no matter how hard you whine. Realize it or don't, but if you continue being a petulant retard trying to tell the world to be as dumb as you're being and getting upset that it isn't happening, you're digging a hole.

    We'll simply fill it in and put your name on a rock on top. Oh wells! "Here lies some weird dumbass who didn't matter, didn't like basic words."

    1. Re:Sorry, you still lose. by mark-t · · Score: 1

      "New" does not denote a number of days and is thus useless and vague. 0-day is a technical term to describe a technical concept. Yes. Don't like it? Too fucking bad, it's been there forever.

      No, it has not... it has only been used in the context of exploits since the late 1990's. Go ahead... try and find a single reference to "0-day" used in the context of exploits or hacking before 1998.

      Prior to this), the expression was only applied to copyright infringement, and specifically referred to any (pirated) copyrighted work that got released the same day as the original product, or sometimes even before. Adapting this definition to refer to exploits suggests that the exploit is discovered on the same day (or before) as the product that it exploits is released, or at least on or before the time when the developer releases the most up-to-date security updates. Obviously you cannot apply this meaning to software that hasn't been updated recently, such as Windows 7, and I believe that casually using the term to simply mean that the exploit was caught before the developer knew about it is liable to cause confusion. Absolutely *ANY* exploit that is discovered by someone other than the developer would meet this definition, so at best, the term is redundant, especially for software that isn't under active development anyways.

      But you can go ahead... keep on saying how dumb I am for thinking like this... since you obviously feel some sort of need to keep saying it.

      --
      File under 'M' for 'Manic ranting'
  21. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    "and that it took zero days for it to be exploited." - this is not a fact.

  22. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 1

    Except an exploit using a bug in the wild isn't new, even if a developer was unaware of it--and it's not even given that such is true, as the bugs might actually be fixed already in the internal branch. There's also the point that it might not be "a" new exploit but a host of them, leveraging one or more bugs--implementation or design ones. Further, an exploit that exists but isn't being actively used isn't 0-day. All the above applies to "previously unknown".

    Don't get me wrong: I think 0-day is a pretty terrible name. It is jargony, but that's because it tries to encompass multiple things at once: there's an exploit, it's being actively used, and it exploits a bug or feature in an unintended way. Like most things, jargon improves the communication of things in one way. The heart of the matter is not the exploit but the means of the exploit, since exploits don't magically happen but are tied to hardware/software.

    I can't say it equivalent to a buzzword because buzzwords often mean little to nothing or people don't really known what it means and it's used often specifically for obfuscation. Yes, 0-day is used instead of "new" at least in part because it conveys more urgency. That's because in a lot of circumstances, where people have millions or more money invested, it is urgent and it's important to figure out which are the most urgent threats. Twenty new exploits for a patched bug aren't as threatening as one 0-day.

  23. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 0

    ohh my God, is /. overrun by morons now?

    Zero-day refers to an exploit which was effectively there at day zero of coding. Basically, an inherent flaw in original code. It's "new" in the sense that someone recently found it, but it's still as old as the code base or patch that introduced it.

  24. why does browser need api to read my files? by hraponssi · · Score: 1

    what is the use case to have a browser expose some API for random websites to read files on user computer? or what is this API if not that?

  25. Use after free ... of course by Pinky's+Brain · · Score: 1

    People keep telling me tools will help prevent this kind of shit for C(++). Google has fuzzers and memory checker tools out the ass, still these bugs get through.

    1. Re:Use after free ... of course by Eravnrekaree · · Score: 1

      use shared_ptr and vectors

  26. C++ does have features to prevent it by Eravnrekaree · · Score: 1

    If people were to use shared_ptr, vectors and std::string many of these errors could be prevented.

  27. USD to PKR by Anonymous Coward · · Score: 0

    Find All Currency Rates here USD to PKR

  28. Best leather jackets for Men and Women by Anonymous Coward · · Score: 0

    Very Nice blog, please visit my website; We offer Best leather jackets for Men and Women

  29. Food Magazine by Anonymous Coward · · Score: 0

    Find All Amazing recipes only in the No 1 Food Magazine of Pakistan, The Cook Book