355

UPDATE YOUR BROWSERS IMMEDIATELY. RCE VULNERABILITY DISCOVERED (nvd.nist.gov)

submitted 1 year ago by VitabytesDev@feddit.nl to c/technology@lemmy.world

88 comments fedilink hide all child comments

Any Chromium and Firefox browser prior to version 116 will be vulnerable to this, update your browsers.

you are viewing a single comment's thread
view the rest of the comments

[-] towerful@programming.dev 20 points 1 year ago

I've read elsewhere it's actually a problem with libwebp not just chrome.
Basically, anything that relies on libwebp (ie can play libwebp) is vulnerable.
https://snyk.io/blog/critical-webp-0-day-cve-2023-4863/

[-] cheese_greater@lemmy.world 2 points 1 year ago

I wonder if it applies to devices using LockDown mode, thats shuts down a lot of nonsense in its own right...

[-] towerful@programming.dev 7 points 1 year ago* (last edited 1 year ago)

https://www.techtarget.com/searchsecurity/news/366551978/Browser-companies-patch-critical-zero-day-vulnerability

Citizen Lab said Blastpass was discovered on the device of an employee with "a Washington DC-based civil society organization" and that it could be mitigated by Apple's Lockdown Mode. An investigation into the exploit chain continues, but researchers said it involved "PassKit attachments containing malicious images sent from an attacker iMessage account to the victim."

Edit:

Fuck my reading skill (or fuck articles listing multiple high profile CVEs)...
Blastpass is not the same libwebp CVE (blastpass, the iMessage thing, is CVE-2023-41064. libwebp is CVE-2023-4863 - although that is the chrome one, despite this affecting libwebp not chrome).

I think the whole situation is very rapidly being researched and it's all developing.
So, no idea if lockdown mode would have any effect

[-] cheese_greater@lemmy.world 3 points 1 year ago

Good, I'm so fucking tired of this bullshit.

[-] towerful@programming.dev 9 points 1 year ago* (last edited 1 year ago)

Nah, this bullshit is progress.
The root of this problem has always existed. Exploits have always been there, mistakes have always been there. These things are fundamentally unavoidable.
Acknowledging then, documenting them is new. Sensible disclosure is new. Companies paying for these bug bounties before they are publicly disclosed (so they can be fixed) is new.
And it's awesome. It's security. It's people working together for the betterment of everyone.

It would be amazing if people didn't make mistakes. But that isn't possible.
Openess, honesty and quickly remedying of issues is possible, and it's laudable.

So yeh, next time you get an annoying update that interrupts you're workflow. Please understand the work and reason behind the update. You can still be pissed at the interruption, but please appreciate the human reason for it.

Edit: I read "good" as "god". Idk if that changes anything

[-] cheese_greater@lemmy.world 6 points 1 year ago

I def agree with the openess tenor of your reply. People and companies (since companies technically "are" people) need to stop valuing pride over security and safety and all the good stuff of life. Like, just fix the damn cancer, stop trying to hide it and cut off the progrssively more necrotic limbs to save face.

We don't disagree on anything, I was perhaps inelegant and non-specific in my invective.

[-] towerful@programming.dev 1 points 1 year ago* (last edited 1 year ago)

since companies technically "are" people

This wording is some legal loophole bullshit.
I have tried to word something that disagrees with this for 30m. I can't figure it out.
This is bullshit.
But this "company is person" tries to re-humanise corporations. I think. Or something.

Have some ranting....

A company is a group of people working in the interest of themselves.
A person is generally working in the interest of themselves.
A group of people always has more power than a single person, and thus should be held to a higher standard.

It seems like Google is taking this seriously... now (assigning a 10.0. The next highest is an 8.8 for $15k). But it seems like the cve is still assigned to chrome, as opposed to libwebp (where the actual vulnerability is)

And while I appreciate the publication - the fact its a 0-day publication (as opposed to "we patched this 6 months ago") means Google hasn't taken it seriously previously (or it's be found exploited in the wild)

[-] cheese_greater@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

Dude, put down the keyboard lol. We basically agree on everything but...I dunno, theze takes of yours. I'm not siding with corporations, I'm making a snide reference that interrogates the RealPolitik of modern life and insists that corporations (which are a legal fictional person(a) akin to a psychopathic pen-name persona of an author in some sense) act at least or far more responsible than a regular person. To those who are given and recieve much, much should be expected in my view.

These discussions and discourse go a lot better and profit us substantially moreso if you really read the words and start from the vantage point of assuming good-faith. Had another guy the other day blow up since I made a competely unrelated oblique joke/reference and it was completely outta line. He was nice enough about it after he acknowledged the language barrier but I sense thats not an issue here so play nicely.

I'm on your side, don't friendly-fire your compatriots.

this post was submitted on 29 Sep 2023

355 points (95.2% liked)

Technology

58281 readers

5551 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS