Another Chrome Vulnerability

Google has patched another Chrome zero-day:

On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.

Tags: , , , ,

Posted on May 14, 2024 at 7:01 AM15 Comments

Comments

echo May 14, 2024 7:34 AM

Back in the day one person could knock up a browser in three months. Okay, three years if you want to add some spit and polish. They’ve just got too big and fat and badly abstracted. The toolchains are junk. As with too many things they became about branding not standards.

The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

The C/C++ specification needed refactoring decades ago to simplify and tidy it up and improve coding practices. Instead they lurched off into templates and adding the kitchen sink with contrarians unironically whining that it would be impossible or expensive for compiler vendors to refactor and support while deprecating the old standards and practices. This vulnerability shouldn’t even be a thing.

When I coded I used to compile against multiple compilers and multiple LINT tools. If one compiler or LINT didn’t catch something another one would. Yes, C/C++ and LINT tools are that flaky. Ditto graphics. ATI now AMD have always been more compliant with specifications. NVidia still play dirty. It’s always best practice to compile against multiple implementations for the same reason even if it’s to discover a driver bug and report it to the vendor. Legacy code is no problem if you abstracted at step one. I have deleted all my archives now but I had code from 2000 onwards which would still run today. If I still produced code today it would be updated to the latest API’s where necessary and still run because it was abstracted properly from the start. It’s not dead code. It doesn’t “bit rot” because there’s no such thing as “bit rot” only sloppy design and coding practices.

If people are going to rewrite everything in Rust they may as well review the specifications. Can’t they just get it right then leave it alone? They’re going to have to do it one day anyway. Might as well get it right now.

Bob Paddock May 14, 2024 8:34 AM

@echo

“The C/C++ specification needed refactoring…”

Herb Sutter is trying to do that with the CPPFront C++ Pre-Compiler:

‘https://github.com/hsutter/cppfront

Not just C/C++ May 14, 2024 9:00 AM

With regards,

“The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages.”

Unfortunately it happens in many languages where memory management is not abstracted away from programmers.

If the language you use does not have built in automatic memory handling and garbage collection then “use after free” can happen.

It’s one of the major things that separates programmers on the ISA side of ‘the great divide’ from high level programmers on the high level language side.

The problem with C/C++ is it tries to straddle ‘the great divide’ as a ‘high level ISA independent assembler’ and ends up enabling the worst of both sides by default.

The use of pointers is usually easy in assembler level programming either you grok-it or you fail obviously early on. High level languages abstract pointers away from the programmer so they do not have to think about them thus hides the issue of understanding.

C/C++ does both which means simple pointers become almost impossible due to trying to work with in an abstraction model few ever really get to grips with and is inherently fragile.

The fact that historically, way to many high level languages were and still are written in C/C++ should be telling people something.

Worse C++ encourages overly complex memory objects and few give thought to making them robust rather than fragile.

Yes I know people have strong views on the subject and that is just another part of the problem.

echo May 14, 2024 9:47 AM

@Bob Paddock

Interesting! Thanks!!

https://www.reddit.com/r/programming/comments/xgs83a/comment/iowegj0/

I think the basic gist of what he’s trying to achieve sounds good.

@Not just C/C++

Myself I thought the basics were there but needed a little tidying. You could switch stuff on and off so some things would be allowed or not allowed from baby steps to blow your legs off. Then there’s better support in language or libraries as standard. That in my mind would have solved most of the immediate problems and kept everyone happy.

People have the expertise to do something while maintaining compiler compatibility with legacy code.

Oh well. Someone else’s problem now!

noname May 14, 2024 3:42 PM

Google shares their perspective on memory safety vulnerabilities, as a class, in this post.

https://security.googleblog.com/2024/03/secure-by-design-googles-perspective-on.html

The company is making investments in memory safe languages include shipping some features for Chrome in Rust and setting up a $1 million grant to the Rust foundation to enhance interoperability with C++ code.

Analysis by Google’s Project Zero “shows two thirds of 0-day exploits detected in the wild used memory corruption vulnerabilities.”

noname May 15, 2024 12:32 AM

@Wannabe Techguy

I wonder what Google expects in return for their investment?

Good question. Fewer memory safety issues across their products?

According to a Google technical report:

Memory safety bugs are responsible for the majority (~70%) of severe vulnerabilities in large C/C++ code bases. Below are the percentage of vulnerabilities due to memory unsafety:

• Chrome: 70% of high/critical vulnerabilities [6]
• Android: 70% of high/critical vulnerabilities2 [8]
• Google servers: 16-29% of vulnerabilities3
• Project Zero: 68% of in-the-wild zero days [11]
• Microsoft: 70% of vulnerabilities with CVEs [17]

The Rust Foundation says Google’s donation is “earmarked to underwrite the Interop Initiative: a new C++/Rust interoperability effort.”

echo May 15, 2024 8:43 AM

Well, for the paranoid and cynical there is the plausible cover story and what they do with the data between discovery and announcement. It’s too rich a seam to do nothing with it.

I don’t trust or like Google in a general sense anyway. There’s just too many corporate and ethics issues not that this is unique to Google. It’s not so much what their wealth is going on which can be problematic in itself it’s what the wealth they hoard is not going on.

Who? May 15, 2024 9:10 AM

@ Wannabe Techguy

I wonder what Google expects in return for their investment?

Developing safe products, so they [Google] are the only ones violating the privacy of customers; Google dream is providing strong privacy protection for all users with a single exception for them, so Google continue gathering information on our private life even if we do not agree to their evil goals.

Safest products mean they will continue building and selling profiles of people, while other “people-as-cattle corporations” get out of business.

vas pup May 15, 2024 7:07 PM

US brothers arrested for stealing $25m in crypto in just 12 seconds
https://www.bbc.com/news/world-us-canada-69018575

“Two brothers who studied at one of the most prestigious universities in the US
have been charged with stealing $25m in cryptocurrency in 12 seconds.

Anton Peraire-Bueno, 24, and James Peraire-Bueno, 28, are accused of wire fraud and money laundering.

The US Department of Justice said the alleged heist is the first of its kind.

Prosecutors also say the pair, reportedly educated at the Massachusetts Institute of Technology (MIT), carried it out in April 2023.

“The Peraire-Bueno brothers stole $25 million in Ethereum crypto currency
through a technologically sophisticated, cutting-edge scheme they plotted for
months and executed in seconds,” said Deputy Attorney General Lisa Monaco.

She added that agents from the Internal Revenue Service (IRS) played a key role in unravelling the “first-of-its kind wire fraud and money laundering scheme”.

Prosecutors allege the two used highly specialised skills that they learned at
“one of the most prestigious universities in the world” to exploit Ethereum’s
process for validating transactions.

“The defendants’ scheme calls the very integrity of the blockchain into question,” US Attorney Damian Williams said in a statement on Wednesday,
referring to the public ledger that records crypto payments.

The brothers allegedly stole from Ethereum traders by fraudulently gaining
access to pending private transactions and then altering the transactions to
obtain their victims’ cryptocurrency.

Prosecutors note that this is the first time that such a “novel” form of fraud has ever been subject to criminal charges.

They each face over 20 years in prison if found guilty.”

ResearcherZero May 16, 2024 12:00 AM

@echo

There are no perfect systems. It is the imperfection and imbalance that gives rise to development and change. For this reason humans devised communication to solve issues.
Yet few solutions are entirely perfect, there are always compromises and new issues.

Requirements change. None of those new requirements were envisaged originally.

Hence the maintenance cycle. Even a relatively simple design is not impregnable.
Architecture changes. Architectural changes present new issues and new vulnerabilities.

New attacks are devised and evolve. What may have seemed robust no longer is secure.

No one builds a stone fortress expecting someone will build a B-52 Stratofortress.

ResearcherZero May 16, 2024 3:55 AM

We are in an arms race. – Electronic prescription service MediSecure has been breached.

‘https://www.smh.com.au/technology/police-investigate-large-scale-healthcare-data-breach-20240516-p5je66.html

Arms races do not have a single cause nor do they share the same predictors. This makes them difficult to quantify as they are complex and require multiple lines of inquiry.

Once the Cold War ended “so did a great deal of the scholarly interest in arms races.”
https://oxfordre.com/politics/display/10.1093/acrefore/9780190228637.001.0001/acrefore-9780190228637-e-350

This also has implications for the aim of having a well functioning and harmonious society.

“Democracies rely on people having a shared perception of the world.”
https://edition.cnn.com/2024/05/07/media/journalist-dangers-of-propaganda-reliable-sources/index.html

“Public debates and arguments are preoccupied less with ‘deep’ historical or universal meanings (as would be scholars of jurisprudence or art historians, for example) but with the practical significance of their pronouncements in the short run. For critics, that is precisely the problem: politicians compete to determine the course of events by purposefully ‘stretching’ truths and over- or understating problems to shape the situation in ways that, ultimately, favour their own quests for power – ”

Often, then, public discourse seems less a hermeneutical conversation than a crude struggle for attention or domination.

‘https://journals.sagepub.com/doi/full/10.1177/0263395720933779

Divisive discourse leads to societal fragmentation, and fosters apathy, confusion, animosity, and ignorance. This divide is widening based on the competitive, “us-versus-them” mentality communicated to political audiences.

https://news.illinoisstate.edu/2017/11/divisive-rhetoric-political-messages-limiting-democracy/

A matter of perception.

“The ability to place our own behaviors and the behaviors of others into a psychological framework can allow us to reflect on what we are experiencing and help us to understand and shape our actions.”

‘https://www.apa.org/monitor/2021/01/healing-political-divide

“When deciding what to amplify online or in civic discourse, we can improve how we contribute constructively to our society’s fragile social predicament if we’re aware of the most prominent seven rhetorical tactics that are likely to amplify polarization, leading to anger and potentially violence.”

https://theconversation.com/7-ways-to-spot-polarizing-language-how-to-choose-responsibly-what-to-amplify-online-or-in-person-177276

How to facilitate fraught conversations.
https://www.forbes.com/sites/kathycaprino/2024/02/20/3-key-ways-to-engage-in-more-productive-discourse-in-times-of-conflict/

ResearcherZero May 16, 2024 4:31 AM

“The direct and instantaneous comprehension of reality is quite complicated.”

A look at the current study of arms races:

‘https://www.hindawi.com/journals/mpe/2023/8857429/

Winter May 16, 2024 5:44 AM

@ResearcherZero

“Democracies rely on people having a shared perception of the world.”

This, again, is based on trust. People should not just have a shared perspective, they should trust the same sources of information and opinion.

For, instance, if the shared perspective is that everyone is a psychopath out to get you, that won’t sustain democracy. You see that in countries with a divided population. I remember that Belgium almost fell apart from the “shared perspective” that French and Flemish speaking populations were out to get the “other side”. Although the perception was largely true, that was also a self fulfilling prophecy as everybody believed it to be true.

The current “shared perspective” in the USA seems to be that both sides lie about everything as it suits them. That has become an excuse to actually lie about everything as the other side “does it too”.

In a more trusting society, the answer to that challenge would be that

an immoral act remains immoral whatever the other side does.

So, your lies are the wrong answer to other people’s lies. But in reality, most people act along All is fair in love and war [1]. And here is a real life prisoner’s dilemma where everyone ends up in the worst possible version of the world.

[1] I assume a certain short time variant of “love” is meant here.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.