Here’s the short version.
Google just issued a Chrome update with a note that says, “This update includes 1 [critical] security fix.”
Apr 11, 2019 Sophos is telling users who have installed the update to boot into safe mode, disable Sophos antivirus, then boot into normal mode and uninstall the problematic Windows update.
Unfortunately for the curious Chrome user, the long version doesn’t say much more:
The stable channel has been updated to 81.0.4044.113 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.
[…]
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 1 security fix. Please see the Chrome Security Page for more information.
[$TBD][1067851] Critical CVE-2020-6457: Use after free in speech recognizer. Reported by Leecraso and Guang Gong of Alpha Lab, Qihoo 360 on 2020-04-04
The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project. The software modifications that patched this hole will ultimately become public but, presumably, that they aren’t now means that both the nature of the bug and how to exploit it can easily be deduced from the fix.
Even closed-source software patches that reveal changes only at the machine code level are often eagerly “wrangled backwards” by researchers and crooks alike in order to figure out what was wrong in the first place.
Often, knowing what specific checks were added to program code in order to detect and head off potential exploits can save an attacker weeks or even months of “black-box” bug hunting.
For example, imagine that you know a weirdly sized image might crash a pixel-processing algorithm.
That alone would be a hint of how to provoke a crash, but you still might need to try tens of billions of combinations to rediscover the bug yourself.
But now imagine that you can see clearly that the code takes special precautions – checks that weren’t there before – such as blocking processing of images where the height is exactly 1.337 times the width and the corner pixels are red.
That’s a bit like knowing four of the six lottery numbers before the draw starts, giving you a much better chance than anyone playing at random.
As we explained in a recent article about a Firefox zero-day hole, a use-after-free bug gets its name from a common system function called free()
that programmers are supposed to call to return blocks of memory to the operating system when they’re done using them.
Programmers that forget to call free()
may end up hogging way more memory than they really need, which can bog down the rest of the system.
But programmers who do call free()
have to be really careful not to keep on using the freed-up memory block by mistake.
Otherwise, by the time they come to rely on the data in that memory block, another process or another part of the same software may have starting using it for something else.
For example, if you read in a number that’s supposed to tell you how big the next network packet is going to be, but someone else has already overwritten that number with, say, the total amount of disk space available, you could end up with an answer such as 3 billion when the right number should be no more than, say, 300.
Dangerous bugs can arise from this sort of mistake, which basically means that the software is treating untrusted data as if it can be relied upon entirely.
As we wrote last time:
[I]n some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or “are you sure” dialogs.
That’s the most serious sort of exploit, known in the jargon as RCE, short for remote code execution, which means just what it says – that a crook can run code on your computer remotely, without warning, even if they’re on the other side of the world.
We’re assuming, because this bug is dubbed critical, that it enables RCE.
Curiously, despite a bug that’s critical enough to imply that it is exploitable and that exploiting it could let a crook implant malware on your computer, Google advises that the new version “will roll out over the coming days/weeks.”
Days might be OK, but weeks sounds too long to us, so we recommend going through the update process as as soon as you can.
Go to the About Chrome menu option (or About Chromium if you use the non-proprietary flavour of the browser) and check that you have 81.0.4044.113 or later.
If you aren’t yet patched, checking the version should automatically trigger an update.
As an aside, we were hoping there would be an easy way to turn off the speech recognizer part of Chrome and thereby perhaps to neutralise this bug anyway. (Who knew there was a speech recognizer built right into the browser itself?)
But we can’t find any way to configure the speech recognizer, or even a Chromium setting that acknowledges its existence at all.
We speculated that turning off microphone access in Chrome entirely might help, but we don’t know whether that would be enough to prevent the buggy code being triggered anyway, given that the faulty code might be used before the “allow microphone access” prompt shows up.
If you know how (and, better yet, if it would be a workaround for this bug), please let us know in the comments below!
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
If WordPress had a list of the most requested features, the ability to automatically update plugins and themes would surely be near the top.
Some good news: according to a recent development update, the ability to do this is now being beta-tested in the form of a new plugin for WordPress 5.5, due in August. Download 3d max for mac.
WordPress itself, the Content Management System Core, has had auto-updating since version 3.7 in 2013, which meant that security updates could be applied automatically.
Given the number of attacks exploiting WordPress vulnerabilities in the years leading up to that change, it was a big moment.
Unfortunately, the same wasn’t true of that other area of WordPress exposure, namely plugins and themes.
Whereas many years ago such add-ons were viewed as optional for most sites, these days many have become essential additions that add important capabilities to WordPress sites.
Vulnerabilities in these now generate a steady stream of stories:
We didn’t cherrypick these – all of these were from 2020.
Admins can either hack the updating themselves, or get their hands grubby and do it manually. The latter option has the obvious weakness that admins fall behind in updating, or simply ignore the problem entirely.
But how would admins know to update at all? Only if they receive security notices and pay attention to them, a haphazard process at best.
Once auto-updating appears in WordPress Core, admins will be able to opt in via the WP-admin screen. The design will still allow admins to opt out on a plugin-by-plugin or theme-by-theme basis.
This is important because updates can sometimes cause problems. For many sites, the risk of not updating will be outweighed by the risk of this happening automatically.
If admins opt in, they will also get summaries notifying them of changes, an important feature given that updates now appear regularly. The WordPress team wrote:
Now, your help is needed to test, validate, and improve the current feature to ensure that it meets the needs of the WordPress community.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.