Google Pays Out $36,000 for Severe Chrome Vulnerability

SecurityWeek.com ^ | Wednesday 10/16/2024 | Ionut Arghire

[linMcHlp]

Google on Tuesday announced a fresh Chrome browser update that addresses 17 vulnerabilities, including 13 security defects reported by external researchers.

The most severe of the externally reported bugs is CVE-2024-9954, a high-risk use-after-free defect in AI . . .

The latest Chrome iteration is now rolling out as versions 130.0.6723.58/.59 for Windows and macOS, and as version 130.0.6723.58 for Linux.

[ansel12]

I try to keep it updated but sometimes am days or up to a week behind, with your reminder I just updated to the 130.0.6723.59

[maddog55]

Google sucks.. everything about it sucks. Their vehicle infotainment systems are a disaster as well.

[roving]

I like edge.

[linMcHlp]

Problem is within Chromium engine:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-5274

Thus, affects:

- Brave Browser
- Microsoft Edge
- pthers

[linMcHlp]

“pthers” pi-tu-eee

others

[ansel12]

My Brave keeps itself updated without my attention (but I checked anyway), and while I don’t use edge I did just open it and check for update because of your prompt.

[trebb]

I finally gave up and just use Edge - along with Windows Defender instead of other products.

[Bobalu]

I run Brave on windows as well as other browsers and mine reports version as 1.71.114 Chromium: 130.0.6723.58 (Official Build) (64-bit)

So, not sure if this is updated to the latest fix or not... it reports that it is updated to the newest but it is .58 not .59

Will switch to using another browser until I am sure...

My gaming PC still suffers from the Intel bug that causes CPU damage... have not received the latest update to firmware 0x12b so that PC sits idle :-/

groan

[MayflowerMadam]

“I finally gave up and just use Edge”

Edge came with my Windows 10 Dell. I don’t understand it; it won’t go away. I think I hate it. But Defender seems to do a good job.

[linMcHlp]

ADDITIONAL TROUBLE WITH CHROMIUM

There is a bug in Chromium that scrambles bookmarks.

Important: Maintain backups of Chromium-engined browser bookmarks - EXPORT to "bookmarks.html" file.

Bookmarks unusable since last update, blending together, changing when clicking on them, etc

[CatOwner]

What am I missing? The vulnerability is from late May 2024.

[CatOwner]

I was responding to post #5.

[linMcHlp]

You are missing the article - the OP - the latest rollouts (this week of October, 2024) that apparently include fixes.

[Pollard]

Edge is based on Chromium now. MS gave up on making their own browser from scratch.

[Pollard]

Chromium is google’s open source version of Chrome.

“” Chromium has been a Google project since its inception,[1][3] and Google employees have done the bulk of the development work.[14] “”

I just stumbled on a browser I’d never heard of called LibreWolf. It’s based on Firefox with a focus on privacy and security.

“” According to the website PrivacyTests.org, LibreWolf, along with Brave Browser and Tor Browser, had the most privacy protection compared to other browsers.[16][17] “”

I’m currently migrating from Waterfox to LibreWolf. I also have Brave which I use for specific things, like logging into my bank’s web app.

[linMcHlp]

Brave Browser DEVELOPMENT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

https://chromium.woolyss.com/?stb=1#windows-64-bit

Intrinsically, Chromium is a Google project maintained by many authors (developers, engineers, graphic designers, security researchers ... ) from Google, Adobe, Amazon, ARM, Brave, Cloudflare, Facebook, Hewlett-Packard, IBM, Igalia, Intel, Logitech, Microsoft, Mozilla, Nvidia, Opera, Samsung, Vivaldi, Xiaomi, Yandex ... and external contributors.

Chromium is not only a web browser. It is a blend of different important open-source projects:

ANGLE (Graphics engine abstraction layer)
  https://en.wikipedia.org/wiki/ANGLE_(software)

Blink (Rendering/layout engine)
  https://en.wikipedia.org/wiki/Blink_(browser_engine)

Native Client (Sandbox for running native code)
  https://en.wikipedia.org/wiki/Google_Native_Client

PDFium (PDF generation and rendering library)
  https://pdfium.googlesource.com/pdfium/

Sandbox (Security mechanism for separating running programs)
  https://chromium.googlesource.com/chromium/src/+/master/docs/design/sandbox.md

Skia (Graphics library)
  https://en.wikipedia.org/wiki/Skia_Graphics_Engine

V8 (JavaScript engine)
  https://en.wikipedia.org/wiki/Chrome_V8

and others . . .

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Deviations from Chromium (features we [Brave] disable or remove)

    brave/brave-browser (at Github)

       https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)

Chromium source is fetched

Brave code is fetched

Hooks are run

What Chromium features are removed for privacy/security reasons?

Services & Features We Disable Entirely

• Google accounts integration ("GAIA") is disabled
• All features that send data to Google are removed from settings
• DNS prefetching is disabled
• Chrome Google URL Tracker is disabled

And much more at that Github site.

- - - - - - - - -

Chromium is the core Internet browser, the engine around which, Google Chrome is built; with alterations for different Operating Systems.

Microsoft Edge is built around the Chromium engine. Same for Brave Browser and some others.

[bobbo666]

Anyone using Google’s chrome is a doofus. You get the same features by substituting the Chromium version that had all the spyware from Google ripped out.