News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Google Chrome: Bug enables data theft

    Posted on Nibbled To Death By Ducks Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories Google Chrome: Bug enables data theft

    Viewing 4 reply threads
    • Author
      Posts
      • #2287817 Reply

        “]In all Chromium browsers (Google Chrome, Edge, Opera) there is a fat bug CVE-2020-6519, which introduces a vulnerability that allows attackers to bypass the Content Security Policy (CSP) protection and steal data from website visitors.”

        Chrome  before version 84 affected

        “The bug (CVE-2020-6519) was found in Chrome, Opera and Edge, on Windows, Mac and Android. Security researcher Gal Weizman has now disclosed the whole thing here. The security researcher was very surprised when he discovered this zero-day vulnerability in Chrome-based browsers – Chrome, Opera, Edge – on Windows, Mac and Android. The bug allowed attackers to completely bypass the CSP rules of Chrome versions 73 (March 2019) through 83 (July 2020). Only Chrome 84 fixes this vulnerability.”

        Google Chrome: Bug enables data theft

        Words fail me, which is probably a good thing.

        Win7 Pro SP1 64-bit ESU, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Patch List", Multiple Air-Gapped backup drives in different locations, "Don't auto-check for updates-Full Manual Mode." Linux Mint Greenhorn
        --
        "A committee is the only known form of life that has at least four legs and no brain."

        -Robert Heinlein

        4 users thanked author for this post.
      • #2287827 Reply
        Alex5723
        AskWoody Plus

        I don’t see iOS on the list of effected OSs and ChrEdge 84.0.522.49 is based on Chrome 84.0.4147.105

        fixed : CVE-2020-6532, CVE-2020-6538, CVE-2020-6539, CVE-2020-6540, CVE-2020-6541.

        ChrEdge 84.0.522.40 based on Chrome 84.0.4147.89 fixed :

        CVE-2020-6510, CVE-2020-6511, CVE-2020-6512, CVE-2020-6513, CVE-2020-6514, CVE-2020-6515, CVE-2020-6516, CVE-2020-6517, CVE-2020-6518, CVE-2020-6519, CVE-2020-6520, CVE-2020-6522, CVE-2020-6523, CVE-2020-6524, CVE-2020-6525, CVE-2020-6526, CVE-2020-6527, CVE-2020-6528, CVE-2020-6529, CVE-2020-6530, CVE-2020-6531, CVE-2020-6533, CVE-2020-6534, CVE-2020-6535, CVE-2020-6536

        https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002

        • #2287972 Reply
          Ascaris
          AskWoody_MVP

          I would think iOS is not on the list because all iOS browsers are actually using their backend. I did note that iOS and Linux were not on the list, but later in the article, it said Chrome on “all operating systems” was vulnerable if it was <84.

           

          Group "L" (Fedora 32 Linux w/ KDE Plasma).

          1 user thanked author for this post.
      • #2288010 Reply
        OscarCP
        AskWoody Plus

        Thanks for this warning and the additional information. In my Mac, running macOS version “Mojave” (not the latest version of the OS, but still supported for another year) Chrome is shown as being up to date, with its latest release already installed: Version 83.0.4103.116.

        So it would seem that Chrome 84, with this nasty vulnerability presumably fixed, is not yet available for macOS, at least in the usual automatic way. Anyone knows differently?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • #2288031 Reply
          Ascaris
          AskWoody_MVP

          Perhaps a beta of some kind?

          The version of Chromium I tested (with the Linux hardware video decoding enabled) is on 86.0.4214.2 on my Swift (dev build).  Perhaps there is a Mac equivalent, whether Chrome or Chromium?

          Group "L" (Fedora 32 Linux w/ KDE Plasma).

          • #2288073 Reply
            OscarCP
            AskWoody Plus

            Ascaris: Actually “84” for the Mac is an Stable Channel release that is coming out just now, according to this article:

            https://chromereleases.googleblog.com/

            Excerpt: “Stable Channel Update for Desktop
            Monday, August 10, 2020
            The stable channel has been updated to 84.0.4147.125 for Windows, Mac, and Linux, which will roll out over the coming days/weeks.

            This might explain why I have not got it yet in my Mac.

            As on how to find the various release channels:

            https://www.chromium.org/getting-involved/dev-channel

            Be all that as it may, I have followed DrBonzo’s advice (see his comment and my reply further down) an installed “84” manually. And, right now, all seems well.

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • #2288066 Reply
          DrBonzo
          AskWoody Plus

          Well, FWIW the latest version of Opera is based on Chrome 84, and I have that (latest version of Opera) on a MacBook Air running up-to-date Mojave. Try checking for updates manually for Chrome, and I’ll bet you’ll get 84 (and then apparently safe from the bug).

          1 user thanked author for this post.
          • #2288070 Reply
            OscarCP
            AskWoody Plus

            DrBonzo: I just followed your advice: first chose to download Chrome from the “Stable Channel”, installed it replacing the previous version in the process, then launched the new one. Checking in “Customize and control Google Chrome/Help/About Google Chrome”, the new version is  84.0.4147.125. Thanks for the idea!

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

            1 user thanked author for this post.
            • #2288076 Reply
              DrBonzo
              AskWoody Plus

              I don’t have Chrome on any Macs anymore, but when I did, I could open Chrome and manually check for updates. I don’t remember exactly how I did it, but if you have it set up so a menu bar is present, it would be something like Help –> About, or Chrome —> About, which would then result in a screen giving the version number, a statement that Chrome is up-to-date (or not up-to-date), and a button with Check For Updates. If you don’t have a menu bar showing then go to the upper right to what they call a ‘hamburger’ menu (basically 3 short grey horizontal parallel lines one above the other), click on it, and you should be able to find similar commands.

              I used to find sometimes that even though I got a statement saying Chrome was up-to-date, that it actually wasn’t and would proceed to update to the latest version when I hit the Update button.

              You can also set it up to update automatically. I don’t remember how since I, personally, would never let a computer do any updating automatically.

              1 user thanked author for this post.
              • #2288132 Reply
                OscarCP
                AskWoody Plus

                DrBonzo, Thanks. It was as you have described it and it is like that now, again. I say “again”, because when I tried to check while version 83 was still the one I had installed in the Mac, it did not show the legend “Chrome is up to date”, or tried to install a new version. Nothing like that was showing or happening there. So it might have been a problem having to do with that version of Chrome, perhaps a conflict between it and something else: mysteries of computing.

                I have it on automatic download and install, because I use Chrome very sparingly and hate to fiddle with every last bit of software on my computer. I rather die than do that: that’s just the way I am; unfortunately there is no known cure for it…

                Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #2288064 Reply
        alphacharlie
        AskWoody Plus

        I was just curious to see what version is on my Chromebook today:

        Version 84.0.4147.110 (Official Build) (64-bit)

      • #2288136 Reply
        Microfix
        AskWoody MVP

        hmm..out of ‘Auto update expired’ chromebooks will be..erm kapoot online now.
        Better to switch to an ‘in service’ linux LTS distro on those after some research 😉
        check older models here: https://support.google.com/chrome/a/answer/6220366

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Google Chrome: Bug enables data theft

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.