Given that browser remote code execution (RCE) exploits often involve running untrusted code that came from an untrusted source in an unexpected way, and launched a new thread of execution that wouldn’t normally show up in the logs… We’re guessing, given that a cybersecurity company reported this vulnerability, and given the almost immediate publication of a one-bug update, that the flaw was uncovered in the course of an active investigation into an intrusion on a customer’s computer or network.Īfter an unexpected or unusual break-in, where obvious entry paths simply don’t show up in the logs, threat hunters typically turn to the gritty details of the detection-and-response logs at their disposal, attempting to piece together the system-level specifics of what happened. That’s what’s known in cybercrime slang as a drive-by install. Loosely speaking, that means it’s almost certain that merely visiting and viewing a booby-trapped website – something that’s not supposed to lead you into harm’s way on its own – could be enough to launch rogue code and implant malware on your device, without any popups or other download warnings. This Chrome update means that you’re now looking for a version number of 1.87 or later.Ĭonfusingly, that’s the version number to expect on Mac or Linux, while Windows users may get 1.87 or 1.88, and, no, we don’t know why there are two different numbers there.įor what it’s worth, the cause of this security hole was described as “type confusion in V8”, which is jargon for “there was an exploitable bug in the JavaScript engine that could be triggered by untrusted code and untrusted data that came in apparently innocently from outside”. (Apple also regularly uses a similarly disengaged flavour of OMG-everybody-there’s-an-0-day notification, using words to the effect that it “is aware of a report that issue may have been actively exploited”.) Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. Google’s response was to push out another update as soon as it could: a one-bug fix dealing with CVE-2022-3723, described with Google’s customary we-can-neither-confirm-nor-deny legalism saying: …only to receive a vulnerability report from researchers at cybersecurity company Avast on the very same day. Google pushed out a bunch of security fixes for the Chrome and Chromium browser code earlier this week…
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |