https://www.dailymail.co.uk/sciencetech/article-13693891/Update-Chrome-Google-critical-flaw.html

Google has rolled out a security update for Chrome, which
fixes flaws that allowed hackers to steal user data.

According to search giant, the new update includes three
significant patches, two deemed high severity and one
'critical.'

Users are urged to update their Chrome accounts immediately
by closing the browser and reopening it.

You can check if you have the latest version by opening
the Chrome browser, click the three dots (⋮) in the top-right
corner, and choose Help > About Google Chrome.

.. . .

This MEANS that bad actors have been stealing all
your data and account numbers and bank numbers and
such for awhile already ...

First two M$ disasters within two weeks and now this.

What's tomorrow ?

Computers - esp Win computers - just seem to be going
all ROTTEN of late. Not only have criminal syndicates
dedicated to finding/exploiting weaknesses grown
exponentially and more and more of them are now funded
and advised by hostile governments.

I'm gonna say something you don't want to hear ...
that online biz/banking/industry will soon be
just too risky to use. The big providers will
lie to you for awhile, swear everything's good,
but very soon it will be impossible to hide.

Hey, GO to a store. VISIT your bank branch or
broker. Let them get to know your face, who
you are. We're quickly heading back to the
future here ... comp/online stuff simply
cannot be protected or safe under even the
current level of attacks.

I'd suggest LOCAL Amazon/etc storefronts where
you can peruse their catalog - and then hand
a list to a HUMAN using some much more secure,
likely non-Win, link with corporate central.
Remind you of the old Sears experience ? Well ...

Unix/Linux/AIX/zOS-based systems with HEAVY encryption
and proprietary networks can be much more inherently
secure than anything sold by M$ ... though still not
'perfect', nothing is "perfect" anymore now that
Russia/China/NK and their unlimited resources
are involved.

As for Chrome ... there IS a non-commercial version
called Chromium which lacks most of the internal
spyware features (which can be exploited). Can be
a bit of a trial getting it for Win, but it's out
there for Linux/Unix no problem. Win users/fools
can also install a virtual-machine system like
VirtualBox and run a Linux/Unix distribution
inside it ... maybe where you'd go to do actual
online biz/banking. I'll suggest VMs that run
ON your box, not 'cloud' versions that send all
yer stuff through M$ links or such.

Oh, for Win people, Linux/Unix come in MANY MANY
'distributions' with different look and feel and
perhaps preferred intent of use. They run from
large to small, there are half a dozen good
desktop environments as compared to ONE for Win,
all with a different look-n-feel. You can even
install several and switch back and forth.

In comp.os.linux.misc 186282@ud0s4.net <186283@ud0s4.net> wrote:
> https://www.dailymail.co.uk/sciencetech/article-13693891/Update-Chrome-Google-critical-flaw.html
>
> Google has rolled out a security update for Chrome, which
> fixes flaws that allowed hackers to steal user data.

Just a media beat-up, cashing in on a public that's temporarily
realised the implications of a software bug in the wrong place.

> According to search giant, the new update includes three
> significant patches, two deemed high severity and one
> 'critical.'

Which isn't anything that unusual, following the link to a
description of the vulnerabilities you get:

CVE-2024-6990: A critical vulnerability involving uninitialized use
in Dawn, reported on July 15, 2024. This flaw could
potentially allow attackers to exploit the browser,
leading to crashes or other malicious activities.
CVE-2024-7255: A high-severity out-of-bounds read issue in
WebTransport, reported by Marten Richter on July 13,
2024. This vulnerability could enable attackers to
read sensitive information from other memory locations.
CVE-2024-7256: Another high-severity issue involving insufficient
data validation in Dawn, reported on July 23, 2024.
This flaw could be exploited to inject malicious data
into the browser.
https://cybersecuritynews.com/google-critical-security-update-chrome/

Google's announcement is here:
https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_30.html

It looks like the prevous "critical" vulnerability was in April:
https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html

Firefox last had one in March:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/

I read about the Firefox vulnerabilites and discovery of these sort
of bugs, mainly memory access ones, is pretty routine:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

> Users are urged to update their Chrome accounts immediately
> by closing the browser and reopening it.

"Update their Chrome accounts"? Journalists choose some strange
words at times.

> [end article quotes]
> This MEANS that bad actors have been stealing all
> your data and account numbers and bank numbers and
> such for awhile already ...

No, it just means they _could_ have been, if they put the work in
to exploit the vulnerability in a useful way.

> Computers - esp Win computers - just seem to be going
> all ROTTEN of late. Not only have criminal syndicates
> dedicated to finding/exploiting weaknesses grown
> exponentially and more and more of them are now funded
> and advised by hostile governments.

That's been happening for a long time. Take a look at Wikileaks for
known examples from the government of the USA.

> I'm gonna say something you don't want to hear ...
> that online biz/banking/industry will soon be
> just too risky to use. The big providers will
> lie to you for awhile, swear everything's good,
> but very soon it will be impossible to hide.
>
> Hey, GO to a store. VISIT your bank branch or
> broker. Let them get to know your face, who
> you are. We're quickly heading back to the
> future here ... comp/online stuff simply
> cannot be protected or safe under even the
> current level of attacks.

Sure, these things are why I never did switch to online banking, but
everybody else did. Nothing's really changed now that hasn't been
happening for years, and ignored by almost everyone. Time before
last that I went to the bank I played dumb while the teller advised
me on the security of online banking if I chose to enable it. No
issue, so long as you keep your password safe, apparantly. No
thanks, if the computer at the bank gets hacked it's their problem,
if my computer/browser gets hacked (or they guess that it _could_
have been), I can be accused of fault, and I don't want to have
that argument.

> I'd suggest LOCAL Amazon/etc storefronts where
> you can peruse their catalog - and then hand
> a list to a HUMAN using some much more secure,
> likely non-Win, link with corporate central.
> Remind you of the old Sears experience ? Well ...

I regularly print out product pages from a store's website and
take them into the store instead of ordering online. Some tell
me I needn't have bothered with the print-out, but otherwise you'll
ask and they'll say "You want what?... Nah mate, never heard of
that" (while it's sitting on the shelf behind them).

> As for Chrome ... there IS a non-commercial version
> called Chromium which lacks most of the internal
> spyware features (which can be exploited). Can be
> a bit of a trial getting it for Win, but it's out
> there for Linux/Unix no problem. Win users/fools
> can also install a virtual-machine system like
> VirtualBox and run a Linux/Unix distribution
> inside it ... maybe where you'd go to do actual
> online biz/banking. I'll suggest VMs that run
> ON your box, not 'cloud' versions that send all
> yer stuff through M$ links or such.

VMs and container systems have their own history of known
vulnerabilites and past exploits.

--
__ __
#_ < |\| |< _#

On 8/1/24 4:16 AM, Computer Nerd Kev wrote:
> In comp.os.linux.misc 186282@ud0s4.net <186283@ud0s4.net> wrote:
>> https://www.dailymail.co.uk/sciencetech/article-13693891/Update-Chrome-Google-critical-flaw.html
>>
>> Google has rolled out a security update for Chrome, which
>> fixes flaws that allowed hackers to steal user data.
>
> Just a media beat-up, cashing in on a public that's temporarily
> realised the implications of a software bug in the wrong place.
>
>> According to search giant, the new update includes three
>> significant patches, two deemed high severity and one
>> 'critical.'
>
> Which isn't anything that unusual, following the link to a
> description of the vulnerabilities you get:
>
> CVE-2024-6990: A critical vulnerability involving uninitialized use
> in Dawn, reported on July 15, 2024. This flaw could
> potentially allow attackers to exploit the browser,
> leading to crashes or other malicious activities.
> CVE-2024-7255: A high-severity out-of-bounds read issue in
> WebTransport, reported by Marten Richter on July 13,
> 2024. This vulnerability could enable attackers to
> read sensitive information from other memory locations.
> CVE-2024-7256: Another high-severity issue involving insufficient
> data validation in Dawn, reported on July 23, 2024.
> This flaw could be exploited to inject malicious data
> into the browser.
> https://cybersecuritynews.com/google-critical-security-update-chrome/
>
> Google's announcement is here:
> https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_30.html
>
> It looks like the prevous "critical" vulnerability was in April:
> https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_24.html
>
> Firefox last had one in March:
> https://www.mozilla.org/en-US/security/advisories/mfsa2024-16/
>
> I read about the Firefox vulnerabilites and discovery of these sort
> of bugs, mainly memory access ones, is pretty routine:
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
>
>> Users are urged to update their Chrome accounts immediately
>> by closing the browser and reopening it.

The software and methods employed have become TOO complex.
Nobody knows how it all works - nobody can spot fatal flaws
before they bite thousands/millions of users. Then they
just patch - and patch and patch and ...

What was the good old term - "spaghetti code". Even "AI"
doesn't seem to be helping much so far, and nobody will
understand the "AI" fixes. Soon it's just AI Dumbledore
waving his wand and humans/corps will HAVE to believe
in the magic.

> "Update their Chrome accounts"? Journalists choose some strange
> words at times.

"Journalists" rarely seem to know much of anything about
what they're pontificating about - especially 'tech' :-)

>> [end article quotes]
>> This MEANS that bad actors have been stealing all
>> your data and account numbers and bank numbers and
>> such for awhile already ...
>
> No, it just means they _could_ have been, if they put the work in
> to exploit the vulnerability in a useful way.
>
>> Computers - esp Win computers - just seem to be going
>> all ROTTEN of late. Not only have criminal syndicates
>> dedicated to finding/exploiting weaknesses grown
>> exponentially and more and more of them are now funded
>> and advised by hostile governments.
>
> That's been happening for a long time. Take a look at Wikileaks for
> known examples from the government of the USA.
>
>> I'm gonna say something you don't want to hear ...
>> that online biz/banking/industry will soon be
>> just too risky to use. The big providers will
>> lie to you for awhile, swear everything's good,
>> but very soon it will be impossible to hide.
>>
>> Hey, GO to a store. VISIT your bank branch or
>> broker. Let them get to know your face, who
>> you are. We're quickly heading back to the
>> future here ... comp/online stuff simply
>> cannot be protected or safe under even the
>> current level of attacks.
>
> Sure, these things are why I never did switch to online banking, but
> everybody else did. Nothing's really changed now that hasn't been
> happening for years, and ignored by almost everyone. Time before
> last that I went to the bank I played dumb while the teller advised
> me on the security of online banking if I chose to enable it. No
> issue, so long as you keep your password safe, apparantly. No
> thanks, if the computer at the bank gets hacked it's their problem,
> if my computer/browser gets hacked (or they guess that it _could_
> have been), I can be accused of fault, and I don't want to have
> that argument.

I tell the bankers I actually do programming/systems
and KNOW BETTER. That usually shuts 'em up :-)

And still do paper billing as much as possible too.
Nothing like nice tangible docs you can push into
peoples faces :-)

And yea, 'online' IS an attempt to "make it YOUR fault".
Kinda like Vista ... unusable unless you turned off all
that new 'security' stuff. Then bad things were YOUR
fault, not theirs.

The latest thing now is most-any providers demanding
routing numbers direct to your bank account instead
of a CC number. CC rules protect YOU ... but who is
at fault if, when, evil people snatch those routing
numbers from whomever's corporate systems ??? There
have been horror stories already - and a lot more
soon to follow.

Oh well, the lawyers will figure it all out, in
about 30 years or so .....

>> I'd suggest LOCAL Amazon/etc storefronts where
>> you can peruse their catalog - and then hand
>> a list to a HUMAN using some much more secure,
>> likely non-Win, link with corporate central.
>> Remind you of the old Sears experience ? Well ...
>
> I regularly print out product pages from a store's website and
> take them into the store instead of ordering online. Some tell
> me I needn't have bothered with the print-out, but otherwise you'll
> ask and they'll say "You want what?... Nah mate, never heard of
> that" (while it's sitting on the shelf behind them).

Store employees are usually under-skilled, under-paid
and over-exploited. This means they switch jobs VERY
regularly and thus know DICK about what's going on
at their current employer.

There used to be careers with big retailers, start
selling shoes and work your way up to a 3-piece
suit. Not so much anymore.

>> As for Chrome ... there IS a non-commercial version
>> called Chromium which lacks most of the internal
>> spyware features (which can be exploited). Can be
>> a bit of a trial getting it for Win, but it's out
>> there for Linux/Unix no problem. Win users/fools
>> can also install a virtual-machine system like
>> VirtualBox and run a Linux/Unix distribution
>> inside it ... maybe where you'd go to do actual
>> online biz/banking. I'll suggest VMs that run
>> ON your box, not 'cloud' versions that send all
>> yer stuff through M$ links or such.
>
> VMs and container systems have their own history of known
> vulnerabilites and past exploits.

Quite true ... but, even on a Win box, they DO add
another layer of obfuscation. Most criminals/attackers
want to do the most damage as fast and easily as
they can and then disappear. They don't waste time
figuring out 'complexity' since 99% of their victims
will be UN-complicated to exploit. A few, banks and
some govt/industries, MAY be such sweet targets where
the evil ones WILL invest a lot of effort.

Alas, as the CloudStrike issue and the previous
SolarWinds debacle showed, 3rd-party 'security'
and 'convenience' apps - who make great CLAIMS -
can be the backdoor way to get at even large
corp/govt systems. Everybody's watching Winders,
but who's watching the watchers ? :-)