from Hacker News

Chrome 0day is being exploited now for CVE-2022-1096; update immediately

by gargarplex on 3/26/22, 5:45 PM with 145 comments

  • by suigetsusake on 3/26/22, 8:06 PM

    It looks like this impacts all chromium-based browsers [0] which might not be obvious (was not for me anyway)

    [0] https://msrc.microsoft.com/update-guide/vulnerability/CVE-20...

  • by ainar-g on 3/26/22, 10:03 PM

    Looks like these are the two commits, based on the issue number:

    https://github.com/v8/v8/commit/0981e91a4f8692af337e2588562a...

    https://github.com/v8/v8/commit/a2cae2180a7a6d64ccdede44d730...

    Although there could be others.

  • by tommiegannert on 3/26/22, 8:11 PM

    Looks like 99.0.4844.84 is the release we want.

    https://chromereleases.googleblog.com/2022/03/stable-channel...

  • by _Nat_ on 3/26/22, 7:57 PM

    > Not much is known, at least publicly, at this stage about CVE-2022-1096 other than it is a "Type Confusion in V8." This refers to the JavaScript engine employed by Chrome.

    Is there a safer JavaScript engine folks can use without having to worry about this sorta thing? Even if it's slower, less compatible, more resource-intensive, etc.?

    I feel like, in most cases, I could make due with JavaScript being 10x or even 100x slower, taking up 10x the RAM, lacking some uncommon features, and so forth -- if it meant being able to enable it without needing to worry about new zero-days.

  • by mdb31 on 3/26/22, 8:03 PM

    Chromium-based versions of Microsoft Edge are also vulnerable: updating to 99.0.1150.55 fixes this CVE

  • by gruez on 3/26/22, 8:36 PM

    Is there a site/service/mailing list that provides notifications for critical/RCE/in-the-wild exploit patches? Keeping every piece of software you run up-to-date takes a lot of work, and something like that would help with knowing what to prioritize.

  • by fn-mote on 3/26/22, 9:17 PM

    I use snap for some applications in spite of the trouble it has caused me. I was super-happy to find out that it had upgraded me to a not-vulnerable verson of chromium before I even knew to look.

    For all of the (deserved) hate snap gets, there are some shining up sides.

  • by nathants on 3/26/22, 10:43 PM

    securing a machine that is updated regularly and runs untrusted code is not realistic, monitoring network exfil is.

    an exploit that cannot communicate is likely benign and easy to detect in the attempt.

    monitor all outbound network connections with a gui prompt that defaults to deny. whitelist trusted domains/ip for a better experience and a bit less security.

    macos has littlesnitch[1], linux has opensnitch[2], or roll your own on libnetfilterqueue[3].

    bonus points if the filtering happens upstream at a router or wireguard host so a compromised machine cannot easily disable filtering.

    bonus points if the filtering is at executable level granularity instead of system level.

    1. https://www.obdev.at/products/littlesnitch/index.html

    2. https://github.com/evilsocket/opensnitch

    3. https://github.com/nathants/tinysnitch

  • by t3odump on 3/28/22, 10:36 AM

    I would like to analyze the issue of browser security without controversy. The mitigations that Edge puts into practice (I'm talking about "Super Duper Secure" and "Enhanced Security") can prevent the operation of exploits in the V8 engine like this 0-day?

    Is this platform dependent or the mitigation in progress works well? I mean for example some feature on mac and Linux is available out of the box asACG feature.

    This analysis is very interesting because I have only read analisys related to privacy and not about security and integrity. (I mean compare between Chorme, Edge, Brave, etc ...)

  • by janci on 3/26/22, 8:49 PM

    Is Chrome for android affected? And V8 in nodejs?

  • by buro9 on 3/26/22, 8:16 PM

    Type confusion in V8... May well impact Cloudflare workers too.

  • by eezurr on 3/26/22, 10:53 PM

    Anyone know if this affects Vivaldi? I assume it does since it's chromium based, but there isn't an update available.

  • by bArray on 3/27/22, 3:49 AM

    Just added a bug for the Ubuntu Chromium dev PPA to update their packages: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+...

  • by ruuda on 3/26/22, 9:42 PM

    Type confusion in V8 ... Fortunately I turned off javascript by default since Meltdown/Spectre.

  • by amelius on 3/26/22, 8:17 PM

    Is Electron at risk too?

  • by sysOpOpPERAND on 3/27/22, 10:30 AM

    why is chrome having so many updates within the past few months? is it because of coverage? (more users?). i use chrome off and on between that and firefox depending on the site and i am surprised how often i've been reading about issues with chrome.

    should i switch browsers all together?

  • by whatev1942 on 3/28/22, 6:20 AM

    What about CloudFlare ? Does this bring to question their decision to use V8 ?

  • by paulpauper on 3/26/22, 8:05 PM

    this just goes to show that updates are always 2 or so steps behind. It's a near certainty that governments, top criminal organizations have a trove of exploits for all major programs, and new ones created after old ones get patched.

  • by badrabbit on 3/26/22, 9:22 PM

    Is there a public exploit for this? Working on detecting browser exploitation myself.

  • by TT-392 on 3/26/22, 9:57 PM

    Anyone know if qutebrowser is affected?

  • by baq on 3/26/22, 8:01 PM

    Just what the doctor ordered in the middle of a war which is also waged in the information space. Hopefully the fact that it’s in v8 will take the exploit a bit longer than usual to proliferate.

  • by octoberfranklin on 3/26/22, 8:07 PM

    When the web "standards" are so insanely complicated that even Google can't implement them securely, it's time to admit that we have a problem.

    When there is only one other complete implementation of these "standards" (with miniscule market share), it's time to panic.