Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com) 107
MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
Re: (Score:2)
Re: (Score:3, Informative)
node and chrome have nothing to do with each other besides sharing the JS engine.
node.js uses a JavaScript engine, as it's written in JavaScript. Chrome is a browser that has a JavaScript engine. So they share even less than that.
So the question is "does running node.js on V8 render it vulnerable?"
Re: (Score:2)
Re: (Score:2)
Node's JS engine *is* V8.
Meaning "node.js requires some C++ bindings and there are only versions of those bindings for V8" (or "can only be versions of those bindings for V8", as they're dependent on the way V8 works)? (I.e., better phrased as "the only JS engine on which node.js can run is V8".)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So the project is named after the one and only JavaScript file in the project? And its relationship to JavaScript is similar to the relationship between a program with an embedded Lua interpreter and Lua?
Re: (Score:2)
Re: (Score:2)
Do we know if this affects node?
You have to feed your node server a polluted pile of js and that
requires the site to be compromised. So yes but....
For some reason Google just upgraded Chrome.....
I wonder if it is related...
Always load two browsers on your device and save one for the days when
the other is "ill". You got to be on Edge to understand this...
repost (Score:5, Informative)
Re: (Score:3, Insightful)
I use Firefox on my phone.
Re: (Score:3)
I do as well, I never got attracted by Chrome, it feels wrong.
Re: (Score:3)
Re: (Score:1)
Re: (Score:2)
Ask and ye shall receive...
Source code for Opera's various browsers! [opera.com]
Tada! It's open source but not truly open licensing - permissive licensed, to some extent. You can review, poke, and change it all you want. You may not redistribute it with their proprietary bits - if I've read the licensing agreement properly.
Re: (Score:2)
S'not a problem. I'm not really a zealot or anything but I much prefer Opera. I've been using Opera since the days when we had to pay for it. I used Firefox for a while, when they first came out, and that was okay. Opera kind of took a nosedive when they first converted their code base to the current incarnation but it's improved and is very nice now. I spend some time on their forums and have known some of the devs for ages now.
The cool thing is, and yes - I've run wireshark, they've stripped out any of th
Re: (Score:2)
I never had a problem paying for a browser. It was a very long time before we had a good open source browser, and Opera for quite some time was way ahead of the pack on security. Firefox chased everyone down, and then Google joined the game, and that mostly pushed Opera out. But Opera's model was as good as proprietary got- a thing that I bought has a much greater chance of doing what I want than something that Microsoft was desperately trying to "monetize".
Re: (Score:2)
I don't remember the payment process but I think, I'm not sure, that they had a sale at one point where you could buy a lifetime license for $20. I bought like five of them if I recall correctly. (I might have shared one or two with friends/family. We were evil like that, back in the day.)
I think that one of my favorite features was 'fit to width.' I still seek out scripts and extensions that enable me to do so for a variety of sites. Hmm... One sec...
http://i.imgur.com/xPZrOQF.png [imgur.com]
That's Slashdot, wide and
Re: (Score:2)
The new, Chrome-like Opera is actually really good - it's my 'default' Android browser. It does text-wrapping better than any other Android browser I've tried, which is a really obvious feature, but it seems to be the only one that provides it.
Re: (Score:2)
Re: Chrome non user (Score:1)
Exactly. Won't use any browser that doesn't let me block JavaScript, trackers and ads. Just not going to happen.
Re: (Score:2)
Re: (Score:3, Insightful)
Re: Sad (Score:3)
Bare pointers! Is there another kind?
Re: (Score:2)
Using a string class instead of a char* array? Using signals/slots message passing rather than calling otherobject* -> function()? "Bare pointers" means "fiddling directly with memory addresses".
Re: (Score:1)
Better languages would be good, but to me it looks like we need better OSs. Since when should a compromised (or intentionally harmful) application be able to install another application? Sure, if the application specifically has permission to do that (Ex: its an app store or installer) and gets user permission, then it should be able to install an application.
Isn't dealing with this kind of problem (running multiple applications without them from compromising all your stuff) the main purpose of an operating
Re: (Score:2)
Re: (Score:1)
Chrome is a much bigger project than Rust is, in terms of scope and code size. I mean, a programming language implementation (JavaScript) is just a small part of Chrome! Of course Chrome will have more bugs; there's far more to Chrome than there is to Rust!
The same goes for GCC. It isn't just a single programming language implementation like Rust is. It includes front ends for C, C++, Objective-C, Objective-C++, Fortran, Ada, Java, and other languages. Besides, GCC also includes a lot of compiler back end f
Firefox though? (Score:2, Insightful)
But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?
What Android user doesn't? (Score:2, Insightful)
Most of them.
Re: (Score:2)
Re: (Score:2)
I'm slightly surprised at that, as last time I looked a lot of Android users were still on 2.x, which ships with Android Browser, not Chrome.
I suspect you haven't looked for a little while. Google's dashboards suggest that only 4% of users are still on 2.x (poor things!):
http://developer.android.com/a... [android.com]
You also probably need to combine the counts of "Chrome for Android" and "Chrome" in those stats the parent posted to get the total chrome market share for Android.
and what Android user doesn't? (Score:1)
Me. Chrome can get fucked.
Firefox all day all night until they go dark side. If they do... Orbot or a full Linux install on the phone with a bazillion options if I really have to use a phone to do major web surfing. Not a concern.
Linux Deploy / Play Store.
https://www.youtube.com/watch?v=nBB2bPwKWVg
Firefox (Score:2)
Re: (Score:3)
Re: (Score:3)
Good thing I use Firefox instead of Chrome.
Good thing I use Windows Phone instead of Android.
Dolphin (Score:2)
But not the latest version. Feature bloat.
Also, I disabled Chrome.
Re: (Score:2)
Also, I disabled Chrome.
Uh, yes, but it doesn't work that way. I'm pretty sure that Dolphin uses webview to display webpages on android (I think almost every browser except Firefox and Opera do -- most 3rd party browsers just write a simple GUI wrapper for webview) ... and all versions of Android starting from KitKat include the v8 javascript engine as part of webview:
https://developer.chrome.com/m... [chrome.com]
More concerningly, if you're using KitKat, webview won't be updated without a system update (it got moved to an APK in lollipop).
Not all... (Score:2)
"If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)"
Uh, this one. Guess I'm lucky I'm an avid Opera fan, heh.
Slashdot editors, get your shit together. (Score:2)
First off, a repost and now a little analysis of the title. ..JavaScript Exploit Leaves All Android Devices [not all devices have chrome and even then not everyone uses chrome] Ripe For Attack [wrong, exploit is undisclosed and being patched].
Hooray monoculture! (Score:1)
Lucky almost every new piece of desktop software across the world is built to run on one of about three browser platforms, and we've got rid of those pesky "extensions" that provided users with implementation alternatives, eh? Only through this level of homogeneity can users achieve safety and not all be exploited at once!
thankfully, he hasn't publicly revealed detailed specifics on its inner workings
Thankfully for your sense of security, he hasn't. Bugs like this are so valuable that many people will treat you far better than the "public" for revealing it, surely?
Deja Vu (Score:2)
Didn't I read about this on Friday?
Re: (Score:2)
Since you asked... (Score:2)
Re: (Score:1)
in other words, no fix (Score:4, Informative)
Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.
Re: (Score:2)
But not everybody uses "Play" store. Some people use F-Droid for their apk needs.
Re: (Score:3)
OS updates never get pushed. They require effort from both phone manufacturers and carriers, both who have motivation to not bother and encourage new phone purchases.
Google apps get updated.
Google Play Services get updated.
In short, the things that Google can control (their apps, Google play services) actually gets updated. Chrome is an app
Last time I used chrome on android... (Score:2)
it shoved an ad on top of a web page i was trying to read. The ad programmer had some fun with it, it would move around when I tried to scroll, and the dismiss box did not do exactly what I wanted. So I took a few minutes to install firefox and adblock. Then I removed the chrome icon from the special real estate on the home screen and replaced it with firefox, and set firefox to default. Goodbye ads!
Um... (Score:2)
and what Android user doesn't
I run four 3rd-party apps on my CM12.1-equipped S5 (including Waze and Square Register) and a fucking web browser isn't one of them.
Speak for yourself. (Score:2)
heavy use of Google's Chrome web browser (and what Android user doesn't?)
I have had my Samsung tablet for 2+ years now and I have never used Google's Chrome web browser.
I use Firefox 35.0.1 with Javascript disabled. Works fine.
But then I don't use Google Play Store either. I use F-Droid.
Just the name already - "Play" store. Sounds like something for kids.
Firefox (Score:1)