Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google: Chrome Zero-Day Was Used Together With a Windows 7 Zero-Day (zdnet.com)

Posted by msmash on from the it's-complicated dept.

Google said this week that a Chrome zero-day the company patched last week was actually used together with a second one, a zero-day impacting the Microsoft Windows 7 operating system. From a report: The two zero-days were part of ongoing cyber-attacks that Clement Lecigne, a member of Google's Threat Analysis Group, discovered last week on February 27. The attackers were using a combination of a Chrome and Windows 7 zero-days to execute malicious code and take over vulnerable systems. The company revealed the true severity of these attacks in a blog post this week. Google said that Microsoft is working on a fix, but did not give out a timeline. The company's blog post comes to put more clarity into a confusing timeline of events that started last Friday, March 1, when Google released Chrome 72.0.3626.121, a new Chrome version that included one solitary security fix (CVE-2019-5786) for Chrome's FileReader --a web API that lets websites and web apps read the contents of files stored on the user's computer.

31 of 56 comments (clear)

  1. Maybe they could also scan to identify by bobstreo · · Score: 1

    the twitter command and control accounts of botnets/terrorists...

    Scanning for vulnerabilities is a start, but eliminating the accounts is probably a whole other kettle of fish.

  2. Re:Browser, everything and the kitchen sink by jellomizer · · Score: 1

    1990's Internet Explorer, A small light weight browser (Compared to the giant of Netscape Communicator) that supports the standards and renders quickly.
    2000's Firefox, A small light weight browser (Compared to Internet Explorer) that is secure, supports the standards and renders quickly.
    2010's Chrome, A small light weight browser (Compared to Firefox) that is secure,supports the standards and renders quickly.

    It seems that the people want a Secure, Small Light weight browser, that supports the standards and renders information quickly. However it seems once they get popular the companies/organizations keep on adding "Would be Nice" features to it until it is a bloated mess with security problems. Then is open to be replaced by something else.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. It happened when Windows 7 is still supported by xack · · Score: 1

    If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.

    1. Re:It happened when Windows 7 is still supported by Anonymous Coward · · Score: 1

      microsoft has released out-of-band updates for so-called 'unsupported' and end-of-life versions in the past... but, microsoft should just quit squeezing more money out of windows 7 users (the upcoming penalty for not signing-on to windows 10 and it's extra revenue streams for microsoft) and just extend the support date by the three years that 'paid' updates will be available for... make it and 8.1 the same.... and then FIX the piece of shit that is windows 10 in the next three and a half years... i.e. the problems that are keeping so many away from it in the first place.. forced and broken updates, constant spying, resetting of user-set settings, constantly downloading and installing 'suggested' apps and other garbage, ui inconsistencies, etc, etc, etc.

    2. Re: It happened when Windows 7 is still supported by Anonymous Coward · · Score: 1

      Or just switch to linux mint or mac and be done with microsoft.

    3. Re:It happened when Windows 7 is still supported by WillAffleckUW · · Score: 1

      Nope, Chrome works fine on our lab's Linux blades

      Why would we downgrade them to Windows 10?

      --
      -- Tigger warning: This post may contain tiggers! --
  4. Am I the only one who thinks "zero-day" sounds.... by mark-t · · Score: 1

    needlessly jargony?

    Why not say what it is in plain english... a newly discovered or previously unheard of exploit or vulnerability.

    And if it's not that, then it's not zero-day, by definition.

    --
    File under 'M' for 'Manic ranting'
  5. Re:Browser, everything and the kitchen sink by xonen · · Score: 4, Informative

    Firefox was never about being small and light weight, it was about being able to render websites faster and in a standard compliant way.

    I hate to correct you, cause on other points you are right, but no.
    Firefox came as spin-off from the Mozilla suite. Mozilla targeted compliant browsing.

    Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.

    From there it went it's own way exactly as parent poster described.

    --
    A glitch a day keeps the bugs away.
  6. Re:Browser, everything and the kitchen sink by Killall+-9+Bash · · Score: 1

    Ever wonder why Windows 7 was so robust and yet had to be replaced w/Vista/8/8.1/10? Cause regressions would be noticed.

    No one noticed when SP3 turned XP to shit, so why do you think they would have noticed if a hypothetical SP2 turned 7 to shit?

    --
    "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
  7. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    The problem with "0-day", is, as I said, that it sounds like jargon... like a buzzword that people overuse when they want to invoke an emotional reaction to the concept rather than using regular English words to say the same thing.

    Calling it a a newly discovered exploit instead of a 0-day exploit is both more informative by virtue of being in plain English and doesn't come across as trying to push some agenda for software that detects and removes malware.

    --
    File under 'M' for 'Manic ranting'
  8. Mission Accomplished by 93+Escort+Wagon · · Score: 1

    If another large security hole opens up after EOL, Microsoft will just say we told you so and tell you go get Windows 10. There WILL be a large security incident a few years from now because too many people are using unsupported systems.

    I see Google has successfully managed to get some people to already forget about their own zero-day bug here. You know, the Google bug which gave attackers remote access to the Windows 7 computers in the first place.

    The Windows bug was a local privilege escalation attack. It needs to be fixed, but the Google Chrome bug was the bigger issue here.

    --
    #DeleteChrome
  9. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 2, Insightful

    You are both wrong.

    'Zero-Day' describes that the exploit was previously unknown, and that it took zero days for it to be exploited.

    Instead of "we found a bug, let's hope it gets patched before someone writes code to exploit it", zero-day describes "OMG what is this code doing!? look it's using a previously unknown bug!"

    "Newly discovered" does not adequately describe the situation.

    There is clearly etymological room for a different term, even if it does sound like a buzzword.

  10. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    0-day = new

    Exactly, so why bother with the jargon? "New" is plain english, 0-day is jargon. It obfuscates what is being talked about and sounds like its trying to grab headlines by using a fancy buzzword.

    --
    File under 'M' for 'Manic ranting'
  11. Re: Browser, everything and the kitchen sink by Anonymous Coward · · Score: 1

    Because he's a nutbag

  12. Anyone know how to check infection? by dackroyd · · Score: 1

    So, I've got a Window 10 box, that apparently Chrome can't update itself on, instead giving this message:

    https://twitter.com/MrDanack/s...

    Which is obviously not a good sign as blocking the security updates seems like a thing an infection would like to do.

    Anyone know of how to tell if a box is actually infected or not?

    --
    "Free software as in beer, copy protection as in racket" - Telsa Gwynne
    1. Re:Anyone know how to check infection? by Anonymous Coward · · Score: 1

      It has Windows 10, it is infected. Don't you mean how to tell if there also is a competing product on the box?

    2. Re:Anyone know how to check infection? by drinkypoo · · Score: 1

      So, I've got a Window 10 box, that apparently Chrome can't update itself on, [...]
      Anyone know of how to tell if a box is actually infected or not?

      You're running a browser that phones home to Google on a system that phones home to Microsoft. The answer is yes. Your box is actually infected with at least two trojans that you deliberately chose to have it infected with.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  13. Re:Am I the only one who thinks "zero-day" sounds. by mark-t · · Score: 1

    It entirely adequately describes it.... "0-day" is just jargon for "new", which by definition means it wasn't around before. It just happens mean it was discovered on the day that the developers knew about the exploit, but if the developers actually already knew about the exploit, then it isn't really new is it?

    Worse, "0-day" can suggest to a person unfamiliar with the precise definition that the exploit was discovered less than one day after the relevant software had been most recently updated, which of course makes absolutely no sense when you are talking about software that hasn't been updated in years such as Windows 7.

    Calling it a new exploit, or previously unknown exploit, is descriptive to anyone who knows english, and does not require familiarity with some fancy term that quite honestly just sounds like an overused buzzword.

    --
    File under 'M' for 'Manic ranting'
  14. Re: A "buzzword" is "hack" or "cyber-warfare" by mark-t · · Score: 1

    Obviously it's 0 days since discovery, because if it was actually discovered before that, then it's not new... it would be a "known exploit" instead of a "new exploit". And how do you figure that "0-day" is shorter than "new"?

    By itself, the expression "0-day exploit" on some software X might suggest, following simply an English definition of the words, an exploit that was discovered less than 1 day after the most recent update to software X. That's not what the term actually means, however, and it's why I think the expression is ambiguous, and quite honestly sounds like a buzzword being used by someone who is only trying to sell you something.

    --
    File under 'M' for 'Manic ranting'
  15. Re:Let's try this again, see if you get it now. by mark-t · · Score: 1

    "New" is plain english... "0-day" is a technical term that has a particular meaning which is not necessarily intuitively grasped from context, and as I have argued, is therefore more ambiguous.

    But my opening question has been answered... apparently it is just me.

    --
    File under 'M' for 'Manic ranting'
  16. Re:Am I the only one who thinks "zero-day" sounds. by Anonymous Coward · · Score: 1

    Except an exploit using a bug in the wild isn't new, even if a developer was unaware of it--and it's not even given that such is true, as the bugs might actually be fixed already in the internal branch. There's also the point that it might not be "a" new exploit but a host of them, leveraging one or more bugs--implementation or design ones. Further, an exploit that exists but isn't being actively used isn't 0-day. All the above applies to "previously unknown".

    Don't get me wrong: I think 0-day is a pretty terrible name. It is jargony, but that's because it tries to encompass multiple things at once: there's an exploit, it's being actively used, and it exploits a bug or feature in an unintended way. Like most things, jargon improves the communication of things in one way. The heart of the matter is not the exploit but the means of the exploit, since exploits don't magically happen but are tied to hardware/software.

    I can't say it equivalent to a buzzword because buzzwords often mean little to nothing or people don't really known what it means and it's used often specifically for obfuscation. Yes, 0-day is used instead of "new" at least in part because it conveys more urgency. That's because in a lot of circumstances, where people have millions or more money invested, it is urgent and it's important to figure out which are the most urgent threats. Twenty new exploits for a patched bug aren't as threatening as one 0-day.

  17. Re:Sorry, you still lose. by mark-t · · Score: 1

    "New" does not denote a number of days and is thus useless and vague. 0-day is a technical term to describe a technical concept. Yes. Don't like it? Too fucking bad, it's been there forever.

    No, it has not... it has only been used in the context of exploits since the late 1990's. Go ahead... try and find a single reference to "0-day" used in the context of exploits or hacking before 1998.

    Prior to this), the expression was only applied to copyright infringement, and specifically referred to any (pirated) copyrighted work that got released the same day as the original product, or sometimes even before. Adapting this definition to refer to exploits suggests that the exploit is discovered on the same day (or before) as the product that it exploits is released, or at least on or before the time when the developer releases the most up-to-date security updates. Obviously you cannot apply this meaning to software that hasn't been updated recently, such as Windows 7, and I believe that casually using the term to simply mean that the exploit was caught before the developer knew about it is liable to cause confusion. Absolutely *ANY* exploit that is discovered by someone other than the developer would meet this definition, so at best, the term is redundant, especially for software that isn't under active development anyways.

    But you can go ahead... keep on saying how dumb I am for thinking like this... since you obviously feel some sort of need to keep saying it.

    --
    File under 'M' for 'Manic ranting'
  18. why does browser need api to read my files? by hraponssi · · Score: 1

    what is the use case to have a browser expose some API for random websites to read files on user computer? or what is this API if not that?

  19. Re:Browser, everything and the kitchen sink by swillden · · Score: 1

    Firefox was from day one meant as a light weight browser with only one feature: browsing websites. No composer, no e-mail, no fancies and initially not even plugins. Low on memory. Low on megabytes of code. Fast.

    Kind of. Firefox was intended to be much lighter than the Mozilla Suite, true, but remember that the Mozilla Suite was a single application that included NNTP and email clients, a WYSIWYG HTML editor/web site construction tool, an IRC client and more. Oh, and a web browser. Firefox was intended to be lighter not because it was supposed to be some sort of uber-minimal browser, but because it was intended to be only a browser, and not all of those other things. True, it didn't support plugins, but that was less to make it lightweight and more because you can only do so much at once.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  20. Re:Browser, everything and the kitchen sink by drinkypoo · · Score: 1

    The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality. But people gave them too many donations so they spent millions of dollars buying pocket and then building it right into the browser instead of making it an add-on. In principle, Firefox makes Mozilla deserving of donations. In practice, if you give them money, they spend it fucking up the browser.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  21. Re:Browser, everything and the kitchen sink by swillden · · Score: 1

    The whole point of Firefox is that it was supposed to be a "platform"... but one which was lightweight, and you added in more functionality.

    Not initially.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  22. Use after free ... of course by Pinky's+Brain · · Score: 1

    People keep telling me tools will help prevent this kind of shit for C(++). Google has fuzzers and memory checker tools out the ass, still these bugs get through.

    1. Re:Use after free ... of course by Eravnrekaree · · Score: 1

      use shared_ptr and vectors

  23. C++ does have features to prevent it by Eravnrekaree · · Score: 1

    If people were to use shared_ptr, vectors and std::string many of these errors could be prevented.

  24. Re:Browser, everything and the kitchen sink by Waccoon · · Score: 1

    That was back when it was called Phoenix (which I made my default browser back in the day). Phoenix started losing the plot shortly after the re-branding to Firefox, and Firefox 2.0 was when things really started going downhill.

  25. Re:Browser, everything and the kitchen sink by thegarbz · · Score: 1

    Thanks for the correction, you are of course right I completely forgot that Mozilla came in between in the popular browser development.