Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack

MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.

Re:

[Jorl17]

node and chrome have nothing to do with each other besides sharing the JS engine.

Re:

[Guy Harris]

node and chrome have nothing to do with each other besides sharing the JS engine.

node.js uses a JavaScript engine, as it's written in JavaScript. Chrome is a browser that has a JavaScript engine. So they share even less than that.

So the question is "does running node.js on V8 render it vulnerable?"

Re:

[x0ra]

Node's JS engine *is* V8.

Re:

[Guy Harris]

Node's JS engine *is* V8.

Meaning "node.js requires some C++ bindings and there are only versions of those bindings for V8" (or "can only be versions of those bindings for V8", as they're dependent on the way V8 works)? (I.e., better phrased as "the only JS engine on which node.js can run is V8".)

Re:

[x0ra]

All the js code runs (as in compiled / optimized / executed) on V8. Some portion of node are written in C++ (generally the OS interface), though as the JS -> C++ transition is expensive, node implement most of its API in Javascript. To this extend, Node is merely a wrapper around V8.

Re:

[x0ra]

I fail to see your comment relevance ? Many comments in this thread fail to realize that V8 is the foundation of node...

Re:

[Guy Harris]

So the project is named after the one and only JavaScript file in the project? And its relationship to JavaScript is similar to the relationship between a program with an embedded Lua interpreter and Lua?

Re:

[x0ra]

.*and* in javascript... https://github.com/nodejs/node... [github.com]

Re:

[niftymitch]

Do we know if this affects node?

You have to feed your node server a polluted pile of js and that
requires the site to be compromised. So yes but....

For some reason Google just upgraded Chrome.....
I wonder if it is related...

Always load two browsers on your device and save one for the days when
the other is "ill". You got to be on Edge to understand this...

repost

[wbr1]

http://slashdot.org/story/15/1... [slashdot.org]

Re:

[Beardo the Bearded]

I use Firefox on my phone.

Re:

[Z00L00K]

I do as well, I never got attracted by Chrome, it feels wrong.

Re:

[TheRaven64]

Not sure why this is off-topic. I started using Firefox on the phone because it was the first Android browser to offer a sane set of cookie management options (i.e. something beyond 'allow all' or 'block all', though it was restricted to this in the first couple of Android releases for some reason). With the self-destructing cookies plugin, it actually does what I want with respect to privacy. Most importantly though, it avoids a monoculture. Android has a huge market share and the idea of a bug in one

Re:

[movdqa]

Me too. At least it gets updated even if Android doesn't (three of our Android devices are off official support).

Re:

[KGIII]

Ask and ye shall receive...

Source code for Opera's various browsers! [opera.com]

Tada! It's open source but not truly open licensing - permissive licensed, to some extent. You can review, poke, and change it all you want. You may not redistribute it with their proprietary bits - if I've read the licensing agreement properly.

Re:

[KGIII]

S'not a problem. I'm not really a zealot or anything but I much prefer Opera. I've been using Opera since the days when we had to pay for it. I used Firefox for a while, when they first came out, and that was okay. Opera kind of took a nosedive when they first converted their code base to the current incarnation but it's improved and is very nice now. I spend some time on their forums and have known some of the devs for ages now.

The cool thing is, and yes - I've run wireshark, they've stripped out any of th

Re:

[cfalcon]

I never had a problem paying for a browser. It was a very long time before we had a good open source browser, and Opera for quite some time was way ahead of the pack on security. Firefox chased everyone down, and then Google joined the game, and that mostly pushed Opera out. But Opera's model was as good as proprietary got- a thing that I bought has a much greater chance of doing what I want than something that Microsoft was desperately trying to "monetize".

Re:

[KGIII]

I don't remember the payment process but I think, I'm not sure, that they had a sale at one point where you could buy a lifetime license for $20. I bought like five of them if I recall correctly. (I might have shared one or two with friends/family. We were evil like that, back in the day.)

I think that one of my favorite features was 'fit to width.' I still seek out scripts and extensions that enable me to do so for a variety of sites. Hmm... One sec...
http://i.imgur.com/xPZrOQF.png [imgur.com]

That's Slashdot, wide and

Re:

[Wootery]

The new, Chrome-like Opera is actually really good - it's my 'default' Android browser. It does text-wrapping better than any other Android browser I've tried, which is a really obvious feature, but it seems to be the only one that provides it.

Re:

[ne0n]

You're far from alone, this "all android devices" they mention doesn't include any of mine. Now if mobile Chrome supported a decent adblocker and more search engine choices things might be different.

Re: Chrome non user

[Threni]

Exactly. Won't use any browser that doesn't let me block JavaScript, trackers and ads. Just not going to happen.

Re:

[GTRacer]

Does this apply to Chrome on desktop? I use it, and (mu)Matrix to block a majority of scripts and the common ad networks.

Re:

[cnettel]

If you use C/C++ right, you do not end up writing a JIT compiler for a language never intended for it. This is a bug in v8. Now, we don't know where, but that's the kind of code that does things no one sane should ever do. It is supposed to take shortcuts and patch things on the fly. It's of course fully possible that this exploit is not in a performance-critical path, and then your comment is rather well placed. But I do think that anyone writing C/C++ in this context is a fool himself. It is for all pract

Re: Sad

[jhoger]

Bare pointers! Is there another kind?

Re:

[Kjella]

Using a string class instead of a char* array? Using signals/slots message passing rather than calling otherobject* -> function()? "Bare pointers" means "fiddling directly with memory addresses".

Re:

[Anonymous Coward]

Better languages would be good, but to me it looks like we need better OSs. Since when should a compromised (or intentionally harmful) application be able to install another application? Sure, if the application specifically has permission to do that (Ex: its an app store or installer) and gets user permission, then it should be able to install an application.

Isn't dealing with this kind of problem (running multiple applications without them from compromising all your stuff) the main purpose of an operating

Re:

[x0ra]

So Rust code ends up depending on c / c++ code ? This kinda defeat the purpose...

Re:

[Anonymous Coward]

Chrome is a much bigger project than Rust is, in terms of scope and code size. I mean, a programming language implementation (JavaScript) is just a small part of Chrome! Of course Chrome will have more bugs; there's far more to Chrome than there is to Rust!

The same goes for GCC. It isn't just a single programming language implementation like Rust is. It includes front ends for C, C++, Objective-C, Objective-C++, Fortran, Ada, Java, and other languages. Besides, GCC also includes a lot of compiler back end f

Firefox though?

[Anonymous Coward]

But... I use Firefox... That addon support was too good to pass up on. Also mostly avoid stuff that uses webview. So I suppose I'm fine?

What Android user doesn't?

[Anonymous Coward]

Most of them.

Re:

[TheRaven64]

I'm slightly surprised at that, as last time I looked a lot of Android users were still on 2.x, which ships with Android Browser, not Chrome. I'm finding it very hard to read that graph as it doesn't provide totals for all versions of each browser, but it looks as if Android Browser still has around 5%, UC for Android (which I'd never heard of) has over 7%, so Chrome at 16% only has a bit more than 50% of the Android market share.

Re:

[shellbeach]

I'm slightly surprised at that, as last time I looked a lot of Android users were still on 2.x, which ships with Android Browser, not Chrome.

I suspect you haven't looked for a little while. Google's dashboards suggest that only 4% of users are still on 2.x (poor things!):

http://developer.android.com/a... [android.com]

You also probably need to combine the counts of "Chrome for Android" and "Chrome" in those stats the parent posted to get the total chrome market share for Android.

and what Android user doesn't?

[Anonymous Coward]

Me. Chrome can get fucked.

Firefox all day all night until they go dark side. If they do... Orbot or a full Linux install on the phone with a bazillion options if I really have to use a phone to do major web surfing. Not a concern.

Linux Deploy / Play Store.

https://www.youtube.com/watch?v=nBB2bPwKWVg

Firefox

[mattcoz]

Good thing I use Firefox instead of Chrome.

Re:

[x0ra]

ahem... https://blog.mozilla.org/secur... [mozilla.org]

Re:

[dotancohen]

Good thing I use Firefox instead of Chrome.

Good thing I use Windows Phone instead of Android.

Dolphin

[dwywit]

But not the latest version. Feature bloat.

Also, I disabled Chrome.

Re:

[shellbeach]

Also, I disabled Chrome.

Uh, yes, but it doesn't work that way. I'm pretty sure that Dolphin uses webview to display webpages on android (I think almost every browser except Firefox and Opera do -- most 3rd party browsers just write a simple GUI wrapper for webview) ... and all versions of Android starting from KitKat include the v8 javascript engine as part of webview:

https://developer.chrome.com/m... [chrome.com]

More concerningly, if you're using KitKat, webview won't be updated without a system update (it got moved to an APK in lollipop).

Not all...

[x_t0ken_407]

"If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?)"

Uh, this one. Guess I'm lucky I'm an avid Opera fan, heh.

Slashdot editors, get your shit together.

[Severus Snape]

First off, a repost and now a little analysis of the title. ..JavaScript Exploit Leaves All Android Devices [not all devices have chrome and even then not everyone uses chrome] Ripe For Attack [wrong, exploit is undisclosed and being patched].

Hooray monoculture!

[Anonymous Coward]

Lucky almost every new piece of desktop software across the world is built to run on one of about three browser platforms, and we've got rid of those pesky "extensions" that provided users with implementation alternatives, eh? Only through this level of homogeneity can users achieve safety and not all be exploited at once!

thankfully, he hasn't publicly revealed detailed specifics on its inner workings

Thankfully for your sense of security, he hasn't. Bugs like this are so valuable that many people will treat you far better than the "public" for revealing it, surely?

Deja Vu

[viperidaenz]

Didn't I read about this on Friday?

Re:

[bongey]

This is slashdot, you know you didn't actually read the story.

Since you asked...

[REggert]

I'm an Android user that does not use Chrome. I use Opera.

Re:

[perlancar]

Me too. It's much faster and I can open 50+ tabs without problem (well, sometimes, but better than Chrome).

in other words, no fix

[frovingslosh]

Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.

Given the way that Google updates don'r get out to Android users, we can expect Google's resolution to eventually reach 0% of the current users.

Re:

[MadMaverick9]

But not everybody uses "Play" store. Some people use F-Droid for their apk needs.

Re:

[cant_get_a_good_nick]

OS updates never get pushed. They require effort from both phone manufacturers and carriers, both who have motivation to not bother and encourage new phone purchases.

Google apps get updated.
Google Play Services get updated.

In short, the things that Google can control (their apps, Google play services) actually gets updated. Chrome is an app

Last time I used chrome on android...

[doug141]

it shoved an ad on top of a web page i was trying to read. The ad programmer had some fun with it, it would move around when I tried to scroll, and the dismiss box did not do exactly what I wanted. So I took a few minutes to install firefox and adblock. Then I removed the chrome icon from the special real estate on the home screen and replaced it with firefox, and set firefox to default. Goodbye ads!

Um...

[Type44Q]

and what Android user doesn't

I run four 3rd-party apps on my CM12.1-equipped S5 (including Waze and Square Register) and a fucking web browser isn't one of them.

Speak for yourself.

[MadMaverick9]

heavy use of Google's Chrome web browser (and what Android user doesn't?)

I have had my Samsung tablet for 2+ years now and I have never used Google's Chrome web browser.

I use Firefox 35.0.1 with Javascript disabled. Works fine.

But then I don't use Google Play Store either. I use F-Droid.

Just the name already - "Play" store. Sounds like something for kids.

Firefox

[Paolo Redaelli]

Who don't use Chrome? Me for example and all those who use Firefox because Chrome is proprietary and even in its free-as-in-freedom Base Chromium could spy you recording voices.