1. 27

  2. 6

    Now it’s just a headline of a news. When the bug details will be released it will be a content of a news. So for now nothing to see here.

    1. 1

      I think this is a both cynical and incorrect assessment.

      The news is that a major update including high profile and high risk security updates is rolling out to Chrome OS users. Personally I consider that valuable even if there are no technical details being published immediately. Being advised to look out for important updates and ensure they are executed in a timely manner is obviously beneficial.

      1. 3

        There’s constantly security problems and fixes in software. There used to be sites that told you when software you care about was vulnerable. They track that sort of thing. I say leave it to them so we can focus on things like how something was exploited, prevented, recovered from, or fixed in the live system without downtime. That’s the interesting stuff.

        1. 2

          What will you, me or other ChromeOS users do? I know that I will wait until ChromeOS updates itself as it always does and then I will reboot as I always do. So this news does not change anything for me.

          If there was some content with it I could read it and we could discuss it.

          There are people that consider it an important news. So they upvote it. I do not consider this important so I do not upvote it. So the assessment correctness is a matter of an opinion. Maybe it is cynical, but I am here for something interesting and for me this isn’t. I certainly do not want to encourage adding more news where the headline is all there is.

          1. 2

            FYI you can kick off updates manually on Chrome OS, which is what I did, in this situation.

            Settings -> Hamburger menu -> About Chrome OS -> Check for updates.


      2. 3

        So someone has lined up the full tower of exploits? Impressive, but surely worth more than $100,000 to, um, “certain” customers?

        1. 1

          Would you rather sell it to criminals?

          1. 1

            “Are security agencies criminal organisations?” Sounds like an exam essay question…

          2. 1

            Maybe the exploits are very difficult in practice? There’s a difference between the existence of the exploit and whether it’s practical.

            I imagine you would get rewarded if it the exploit required the user to download a 10 GB web page, but it might not be that useful in the wild. Or you might have to convince the user to make a sequence of 100 particular HTTP requests, etc. Or it might be for a rare locale with only 10,000 users, etc.

            There are some published exploits like JS cache timing behavior that take a long time too, although these are for information leakage, and not remote code execution.

          3. 1

            Anyone has a link to the commit or initial bug report/fix?

            1. 1

              The bug report (which will probably have the patch, too) is still locked, and the details of the exploit aren’t public yet. My guess is that it’s related to this:

              Devices with the Play Store, as well as AOpen Chromebase Commercial and AOpen Chromebox Commercial will be rolling out over the next few days.

              They probably don’t want to release details until everything is patched.

            2. 1

              They say:

              Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

              • [$100,000][766253] Critical: Persistent code execution on Chrome OS. Reported by Anonymous on 2017-09-18
              • [766260] High CVE-2017-15401: Out of bounds memory access in V8
              • [766262] High CVE-2017-15402: Privilege escalation in PageState
              • [766271] High CVE-2017-15403: Command injection in network_diag
              • [766275] High CVE-2017-15404: Symlink traversal in crash_reporter
              • [766276] High CVE-2017-15405: Symlink traversal in cryptohomed

              So even if someone does have access to the report, they shouldn’t be revealing it.