Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day

Topic

New Reply

Now I understand. Google releases patches for its Chrome browser all the time. As @b explained about 36 hours ago, Google sent out a special alert to
[See the full post at: Google comes clean on that “emergency” security patch – and shows how it was used to trigger a Windows 7 0day]

9 users thanked author for this post.

abbodi86, SueW, Elly, Nibbled To Death By Ducks, PhotM, Myst, jburk07, CyGuy, Microfix

Reply | Quote

Replies

How Microsoft will react is to include a fix in SMQR and SO patches and say nothing but document it a week later for respective patches. One thing for sure, it won’t be documented immediately upon patch release so a week is giving them the benefit of the doubt.
Opaque Transparency 🙂

No problem can be solved from the same level of consciousness that created IT- AE

5 users thanked author for this post.

SueW, Elly, PhotM, Myst, woody

Reply | Quote

I m a little confused. What is a Windows 7 0 day?

Reply | Quote

A zero-day vulnerability is one for which there are active exploits even before it was announced.  In other words, the “bad guys” knew about the bug and were actively exploiting it before the vulnerability was patched or even known about.  Therefore, once it is discovered by the “good guys”, and before it can be patched, there are zero days before attacks using it will occur.

Many vulnerabilities (other than zero day vulnerabilities) have no active exploits and it could be many days or weeks before an exploit becomes available.

5 users thanked author for this post.

Lori, Kranium, SueW, Elly, woody

Reply | Quote

Thanks on the o day explanation

Reply | Quote

This is great for others but what about persons stuck on Vista and using an “unsupported” chrome? There was a time where the security of the internet was critical on all being updated so the “virus” could not easily spread. Is that still true? Are these exploits done in old code or the current “patched” one? Is it even likely that a non patched computer or browser could be more secure then a patched one?

If the Above is true “There was a time where the security of the internet was critical on all being updated so the “virus” could not easily spread”, then would it not be in the interest of keeping ALL patched regardless of OS version or Browser Version? After all then a ‘unprotected’ browsers could in theory infect all others.

Reply | Quote

You stick with old programs, your risk is increased but that doesn’t mean you will be hit. Generally,  you (as in the person behind the keyboard) needs to do something that triggers the virus.

Very dated but possibly helpful article

Another possibly useful article

The problem with  zero-day malware is your AV program will not ‘see’ it. Even VirusTotal is likely to report the file/link containing the malware is clean. So, occasionally run a demand scanner (examples: Malwarebytes; Superantispyware).

Something else that can function as a demand scanner on running processes is Sysinternals Process Explorer – look through the menu options options. Sysinternals Autoruns also has the VirusTotal option.

1 user thanked author for this post.

Lori

Reply | Quote

“As mitigation advice for this vulnerability users should consider upgrading to Windows 10 if they are still running an older version of Windows, and to apply Windows patches from Microsoft when they become available. We will update this post when they are available.”

It makes one wonder, as I have through the decades, if MSFT was the source of some of these problems…great way to encourage “Updating your OS”!

“…when they become available”….what a laid back, ho-hum, indefensible attitude when a 0-day is in the wild!

Life sure looks different from underneath the bus…

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"Windows Update? Bah! I could carve a better ecosystem out of a banana!" -Jamrach Holobom

1 user thanked author for this post.

Kranium

Reply | Quote

Yep, the advisement to begin using Windows 10 as the mitigation looks evil and suggests collusion.

It also seems somebody at Microsoft quietly fixed that error not informing anybody else or there is actually a overall useful “tail covering” feature that mitigates the bug which still exists inside Windows 10.

Reply | Quote

reaction from Born’s blog:

https://borncity.com/win/2019/03/08/kritische-chrome-schwachstelle-bedroht-32-bit-windows-7/

check out the last sentence on there that says “The recommendation of the Google developers to migrate to Windows 10 because of the bug seems to me as a bad joke.”

1 user thanked author for this post.

Karlston

Reply | Quote

I wonder if you were using another browser besides Chrome? Would you be exposed?

MS will patch this eventually and maybe create another problem and then fix it up the following month.

Reply | Quote

Yes. I grudgingly admit Google is acting in good faith here. Because their product contributes to the exposure, they admit it openly and describe the broader problem as well. More information is better than less information. Of course it helps that they seem to have already patched their part.

Which actually means the opposite of your question. Chrome browser is now the one browser we know has been patched.

1 user thanked author for this post.

rc primak

Reply | Quote