chrome

google-patches-its-fifth-zero-day-vulnerability-of-the-year-in-chrome

Google patches its fifth zero-day vulnerability of the year in Chrome

Biz & IT, chrome, Google, Security, Uncategorized, vulnerability, zero-day / /

MEMORY WANTS TO BE FREE —

Exploit code for critical “use-after-free” bug is circulating in the wild.

Extreme close-up photograph of finger above Chrome icon on smartphone.

Google has updated its Chrome browser to patch a high-severity zero-day vulnerability that allows attackers to execute malicious code on end user devices. The fix marks the fifth time this year the company has updated the browser to protect users from an existing malicious exploit.

The vulnerability, tracked as CVE-2024-4671, is a “use after free,” a class of bug that occurs in C-based programming languages. In these languages, developers must allocate memory space needed to run certain applications or operations. They do this by using “pointers” that store the memory addresses where the required data will reside. Because this space is finite, memory locations should be deallocated once the application or operation no longer needs it.

Use-after-free bugs occur when the app or process fails to clear the pointer after freeing the memory location. In some cases, the pointer to the freed memory is used again and points to a new memory location storing malicious shellcode planted by an attacker’s exploit, a condition that will result in the execution of this code.

On Thursday, Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and Windows and 124.0.6367.201 for Linux in subsequent days.

“Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

Google didn’t provide any other details about the exploit, such as what platforms were targeted, who was behind the exploit, or what they were using it for.

Counting this latest vulnerability, Google has fixed five zero-days in Chrome so far this year. Three of the previous ones were used by researchers in the Pwn-to-Own exploit contest. The remaining one was for a vulnerability for which an exploit was available in the wild.

Chrome automatically updates when new releases become available. Users can force the update or confirm they’re running the latest version by going to Settings > About Chrome and checking the version and, if needed, clicking on the Relaunch button.

Google patches its fifth zero-day vulnerability of the year in Chrome Read More »

microsoft-edge-is-apparently-usurping-chrome-on-people’s-pcs

Microsoft Edge is apparently usurping Chrome on people’s PCs

chrome, Microsoft Edge, Tech / /

invasion of the browser snatchers —

An apparent bug that plays into criticisms of how Microsoft pushes Edge.

Microsoft Edge is apparently usurping Chrome on people’s PCs

If you run the Chrome browser in Windows 10 or 11 and you’ve suddenly discovered that you’re running Microsoft Edge instead, you’re not alone. The Verge’s Tom Warren reports that he and multiple other users on social media and Microsoft’s support forums have suddenly found their Chrome browsing sessions mysteriously replicated in Edge.

Without an official comment from Microsoft, Warren posits that the tab-snatching happened because of a bug or an inadvertently clicked-through dialog box that triggers a feature in Edge that’s meant to make it easier to (intentionally) switch browsers. The setting, which can be accessed by typing edge://settings/profiles/importBrowsingData into the browser’s address bar, offers to import recent browsing data from Chrome every time you launch Edge, as opposed to the one-time data import it offers for Firefox.

The setting in question, as seen on a Windows 11 23H2 system running Edge 122. It will offer to continuously import data from Chrome, but not from other browsers. Edge will offer a one-time data import from Firefox, but most other browsers (like Opera) don't show up here.

Enlarge / The setting in question, as seen on a Windows 11 23H2 system running Edge 122. It will offer to continuously import data from Chrome, but not from other browsers. Edge will offer a one-time data import from Firefox, but most other browsers (like Opera) don’t show up here.

Andrew Cunningham

Assuming it is a bug, this data-importing issue is hard to distinguish from some of Microsoft’s actual officially sanctioned, easy-to-reproduce tactics for pushing Edge. I encountered two of these while installing Chrome on a PC for this piece—one when I navigated to the Chrome download page and another across the top of Edge’s Settings pages after I had set another browser as my default.

Microsoft has also used system notifications, special Edge-specific pop-up messages, and full-screen post-update messages about “recommended browser settings” to push Windows users into running Edge and using Bing. (I personally would love it if PCs I’ve been using for months or years would stop asking me to “finish setting up [my] device.”)

Edge is based on the same Chromium browsing engine as Chrome, and most users probably wouldn’t notice much of a difference in how most pages render in either browser. But Edge is centered on Microsoft’s products and services, starting with a Microsoft account but also extending to coupon codes and other shopping notifications, the Microsoft 365 app suite, and generative AI tools like Image Designer and the Copilot chatbot.

Microsoft has gotten more aggressive about how it pushes everything from Microsoft account sign-in to Microsoft 365 and Game Pass subscriptions in recent years, something that has made a “clean” Windows install feel much less clean than it used to. Whether this Edge data-import thing is a bug, it’s telling that it’s not immediately obvious whether it’s a bug or something that Microsoft did intentionally.

Microsoft Edge is apparently usurping Chrome on people’s PCs Read More »

the-year-of-windows-on-arm?-google-launches-official-chrome-builds.

The year of Windows on Arm? Google launches official Chrome builds.

chrome, Google, google chrome, Tech, windows on arm / /

Armed and ready —

Chrome for Windows-on-Arm should hit stable in time for Qualcomm’s big launch.

The Chrome nightly download page with an important section highlighted.

Enlarge / The Chrome nightly download page with an important section highlighted.

Ron Amadeo

Chrome is landing on a new platform: Windows on Arm. We don’t have an official announcement yet, but X user Pedro Justo was the first to spot that the Chrome Canary page now quietly hosts binaries for “Windows 11 Arm.”

Chrome has run on Windows for a long time, but that’s the x86 version. It also supports various Arm OSes, like Android, Chrome OS, and Mac OS. There’s also Chromium, the open source codebase on Chrome, which has run on Windows Arm for a while now, thanks mostly to Microsoft’s Edge browser being a Chromium derivative. The official “Google Chrome” has never been supported on Windows on Arm until now, though.

Windows may be a huge platform, but “Windows on Arm” is not. Apple’s switch to the Arm architecture has been a battery life revelation for laptops, and in the wake of that, interest in Windows on Arm has picked up. A big inflection point will be the release of laptops with the Qualcomm Snapdragon X Elite SoC in mid-2024. Assuming Qualcomm’s pre-launch hype pans out, this will be the first Arm on Windows chip to be in the same class as Apple Silicon. Previously, Windows on Arm could only run Chrome as an x86 app via a slow translation layer, so getting the world’s most popular browser to a native quality level in time for launch will be a big deal for Qualcomm.

The “Canary” channel is Chrome’s nightly builds channel, so fresh Arm builds should be arriving at a rapid pace. Usually, Canary features take about two months to hit the stable channels, which would be plenty of time for the new Snapdragon chip. It’s hard to know if Google will stick to that timeline, as this is a whole new architecture/OS combo. But again, most of the work has been ongoing for years now. The next steps would be rolling out Windows Arm dev and beta channels soon.

Listing image by Photo illustration by Aurich Lawson

The year of Windows on Arm? Google launches official Chrome builds. Read More »

google-agrees-to-settle-chrome-incognito-mode-class-action-lawsuit

Google agrees to settle Chrome incognito mode class action lawsuit

chrome, class action, Google, incognito mode, lawsuit, Policy, privacy / /

Not as private as you thought —

2020 lawsuit accused Google of tracking incognito activity, tying it to users’ profiles.

Google agrees to settle Chrome incognito mode class action lawsuit

Getty Images

Google has indicated that it is ready to settle a class-action lawsuit filed in 2020 over its Chrome browser’s Incognito mode. Arising in the Northern District of California, the lawsuit accused Google of continuing to “track, collect, and identify [users’] browsing data in real time” even when they had opened a new Incognito window.

The lawsuit, filed by Florida resident William Byatt and California residents Chasom Brown and Maria Nguyen, accused Google of violating wiretap laws. It also alleged that sites using Google Analytics or Ad Manager collected information from browsers in Incognito mode, including web page content, device data, and IP address. The plaintiffs also accused Google of taking Chrome users’ private browsing activity and then associating it with their already-existing user profiles.

Google initially attempted to have the lawsuit dismissed by pointing to the message displayed when users turned on Chrome’s incognito mode. That warning tells users that their activity “might still be visible to websites you visit.”

Judge Yvonne Gonzalez Rogers rejected Google’s bid for summary judgement in August, pointing out that Google never revealed to its users that data collection continued even while surfing in Incognito mode.

“Google’s motion hinges on the idea that plaintiffs consented to Google collecting their data while they were browsing in private mode,” Rogers ruled. “Because Google never explicitly told users that it does so, the Court cannot find as a matter of law that users explicitly consented to the at-issue data collection.”

According to the notice filed on Tuesday, Google and the plaintiffs have agreed to terms that will result in the litigation being dismissed. The agreement will be presented to the court by the end of January, with the court giving final approval by the end of February.

Google agrees to settle Chrome incognito mode class action lawsuit Read More »