Security

Google Delays Security for Apple Chrome

Leave a comment

March 1, 2022 Google announced a series of “high” security fixes as part of its “rapid” response to keep users safe from harm, which are being registered in some quarters as a critical upgrade to version 99.0.4844.51.

This update includes 28 security fixes.

CIS reported it this way, telling government and businesses to treat it as a HIGH risk situation.

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

CVE-2022-0789: Heap buffer overflow in ANGLE
CVE-2022-0790: Use after free in Cast UI
CVE-2022-0791: Use after free in Omnibox
CVE-2022-0792: Out of bounds read in ANGLE
CVE-2022-0793: Use after free in Views
CVE-2022-0794: Use after free in WebShare
CVE-2022-0795: Type Confusion in Blink Layout
CVE-2022-0796: Use after free in Media
CVE-2022-0797: Out of bounds memory access in Mojo
CVE-2022-0798: Use after free in MediaStream
CVE-2022-0799: Insufficient policy enforcement in Installer
CVE-2022-0800: Heap buffer overflow in Cast UI
CVE-2022-0801: Inappropriate implementation in HTML parser
CVE-2022-0802: Inappropriate implementation in Full screen mode
CVE-2022-0803: Inappropriate implementation in Permissions
CVE-2022-0804: Inappropriate implementation in Full screen mode
CVE-2022-0805: Use after free in Browser Switcher
CVE-2022-0806: Data leak in Canvas
CVE-2022-0807: Inappropriate implementation in Autofill
CVE-2022-0808: Use after free in Chrome OS Shell
CVE-2022-0809: Out of bounds memory access in WebXR

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.

The roll-out from Google was almost immediate for Linux and Windows users, yet days later some Apple users still are waiting to get the new version.

As of right now, macOS shows version 98 as current.


This seems worth raising publicly as Google has been very loudly trying to shame Apple for being slow in its own browser updates, yet clearly Google is being slow in its browser updates for Apple users.

I’m not seeing anyone reporting this as Google not patching Apple systems, and that’s not even to get into an exploit in the wild for Chrome 98 (prior version).

At this point it seems safer for Apple users to remove the insecure version of Chrome than to run it after public disclosure of the vulnerabilities, no?

History, Security

Significance of Russia’s “All Lives Matter” Campaign Bombing Kyiv Holocaust Memorials

Leave a comment

The BBC offers sharp insight into why Russia is firing missiles at memorials to victims of Nazism, killing civilians.

Babyn Yar is now a place of quiet contemplation, where thousands of people travel to every year to remember those who died. That it could be damaged or destroyed by an aggressive military attack goes against everything it stands for. But the significance of an attack so close to Babyn Yar goes deeper. “It is symbolic that [Russian President Vladimir Putin] starts attacking Kyiv by bombing the site of the Babyn Yar, the biggest Nazi massacre,” said the chair of Babyn Yar’s advisory board, Natan Sharansky.

A pattern of Russian ignorance and cover-ups is also laid bare in the article.

A few years after the Nazis attempted to cover their own tracks, the Soviets tried to flood the ravine with mud. Then in the 1960s, there was anger at plans to build a sports stadium there. Mr Sharansky said the construction of the TV tower directly adjacent to the memorial in the 1970s was another attempt to “destroy the memory of the Holocaust”. “There were so many attempts to erase Babyn Yar and change its nature, finally we turned it into a big memorial, and that is once again overshadowed by Russian aggression,” he said. For decades under Soviet rule, there was little to mark the massacre site, except a simple obelisk that referred to “Soviet” victims, without mentioning the Jews, who were the main victims. Finally, in the 1990s, a large Menorah monument was erected, when independent Ukraine decided to commemorate the Jewish victims. And last year a synagogue was opened.

Reads to me like the Russian mindset was to downplay systemic racism and obscure history by erecting an “all lives matter” obelisk on the spot where Nazis massacred Jews.

#RussianLivesMatter has been used to undermine the American fight against systemic racism by downplaying the impact of racism against African Americans, by suggesting police killings of Black Americans were deserved, and by framing empathy towards victims of police violence in Russia as a zero-sum game.

The Nazis killed nearly 34,000 Jews in two days in the Babyn Yar ravine, Kyiv as part of a sustained plan of genocide. Historians estimate two million were shot dead across occupied Europe.

Security

Researcher Immediately Bypasses Latest Apple AirTag Anti-Stalking Features

Leave a comment

A researcher in Germany has publicly released a post on how to bypass Apple’s latest efforts against unwanted tracking.

On February 10, Apple addressed this by publishing a news statement titled “An update on AirTag and unwanted tracking” in which they describe the way they are currently trying to prevent AirTags and the Find My network from being misused and what they have planned for the future.

…I was quite surprised, that when reading Apple’s statement I was able to immediately devise quite obvious bypass ideas for every current and upcoming protection measure mentioned in that relatively long list.

[…] They introduced the first-ever system for easy, cheap, worldwide tracking into a world where “unwanted tracking has long been a societal problem”, applaud themselves for implementing broken anti-stalking features, and now coerce others into also implementing protection against the tracking network they have rolled out.

Security

Wordfence Stops Protecting Russian Government Web Sites

Leave a comment

Wordfence is a popular service to help protect WordPress servers from attacks. Its CEO has announced they are giving its service away for free to Ukrainian top-level domains (.ua) while simultaneously removing its service from Russia.

…effective immediately, blocked Russian government websites from using Wordfence. Those sites will continue to have Wordfence installed and will function normally, but they will no longer receive any threat intelligence from our servers. That means they will no longer receive firewall rules, malware signatures, a list of IPs currently engaged in brute-force attacks, or our IP blocklist. We are not taking any action against non-government websites in Russia as we do not want to affect civilians.

No longer aiding Russia makes sense when sanctions are announced that prohibit trade with Russia. It begs a deeper question, however, whether Wordfence could shift into more active measures such as pushing rules and signatures that would make a government site vulnerable.