Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Chrome

Google Patches Chrome Sandbox Escape Zero-Day Caught By Kaspersky (securityweek.com) 42

Posted by BeauHD from the time-to-update dept.
wiredmikey shares a report from SecurityWeek: Google late Tuesday rushed out a patch for a sandbox escape vulnerability in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign [dubbed Operation ForumTroll] targeting organizations in Russia.

Kaspersky said it detected a series of infections triggered by phishing emails in the middle of March and traced the incidents to a zero-day that fired when victims simply clicked on a booby-trapped website from a Chrome browser. The Russian anti-malware vendor said victims merely had to click on a personalized, short-lived link, and their systems were compromised when the malicious website was opened in Chrome. Kaspersky said its exploit detection tools picked up on the zero-day, and after reverse-engineering the code, the team reported the bug to Google and coordinated the fix released on Tuesday.

Google Patches Chrome Sandbox Escape Zero-Day Caught By Kaspersky More | Reply

Google Patches Chrome Sandbox Escape Zero-Day Caught By Kaspersky

Comments Filter:
  • A nice job by both Karspersky and Google.
    • They create the problem and pat themselves on the back, while announcing how great they are for doing it. A level of incompetence that Hegseth only knew.

      • Re: (Score:1)

        by Teun ( 17872 )
        Uh?
        The nice thing is two otherwise independent companies working together.
        (Something the MAGA team can only dream about)

        • Re: A nice job by both (Score:4, Insightful)

          by ihavesaxwithcollies ( 10441708 ) on Wednesday March 26, 2025 @11:30AM (#65260499)

          Uh?

          Who created chrome? They created a shitty product with obvious problems, ignored them. Congratulated and joyfully announced they fixed a problem they created and someone else exploited it. For christ's sake, all you have to do is click a link and the computer is pwned. Nothing happens to the incompetent corporation and all its users are the ones that are screwed. If that isn't american capitalism in a nutshell.

          • Re: (Score:2)

            by Teun ( 17872 )
            As a Firefox on Linux user I still appreciate the fast reaction of those two companies.
            ALL software can have bugs, the difference is who and how fast fixes it.

      • They create the problem and pat themselves on the back, while announcing how great they are for doing it.

        To be fair, that's Trump's SOP ...

        A level of incompetence that Hegseth only knew.

        Also, to be fair, National Security Advisor Michael Waltz set up the Signal group chat and (accidentally) invited The Atlantic journalist Jeffrey Goldberg to join. Pete Hegseth (apparently) just blabbed details of the military activities and John Ratcliffe, Director of the CIA (apparently) blabbed the name of an active intelligence officer. So, to your point, several people (apparently) know that level of incompetence. Also, to be fair, it's possible they all thought "J

    • Yes, a nice job, and since the US gov has banned Kaspersky, I bet that they have targeted their 0-day-finding resources to weaknesses specifically exploited by Western governments. The "nation-state sponsored cyberespionage campaign targeting organizations in Russia." is a clue.

  • Sad reality (Score:4, Interesting)

    by Artem S. Tashkinov ( 764309 ) on Wednesday March 26, 2025 @06:34AM (#65259957) Homepage

    For years I've been thinking about moving my browsers into a VM, but I've never done it because the web has gotten so heavy that doing so will result in much higher CPU/RAM consumption, and what's worse, VMs don't support HW-accelerated video decoding, so this will be even worse.

    I just hope I'll never be a target of such exploits and I'm under Linux which is being targeted less than e.g. Windows and MacOS.

    Perhaps web browsers need to become virtual machines themselves.

    • Re:Sad reality (Score:4, Informative)

      by Ritz_Just_Ritz ( 883997 ) on Wednesday March 26, 2025 @07:56AM (#65260069)

      Virtualbox can do video acceleration with your GPU. I believe proxmox can do that as well.

      Best,

      • According to VirtualBox documentation video decoding acceleration works only if both [virtualbox.org] your host and guest are Windows 10/11 and I'm a Linux user:

        Enable 3D Acceleration: If a virtual machine has Guest Additions installed, you can enable accelerated 3D graphics on the VM. See Hardware 3D Acceleration (OpenGL and Direct3D 8/9).

        With 3D acceleration enabled, the VM also uses video decoding acceleration if the host also supports video decoding acceleration. The host must be x86_64 running Windows, and the VM mu

        • Re: (Score:2)

          by trawg ( 308495 )

          I also thought to get this you needed the non-free extension pack or whatever it's called, at least for commercial use?

  • Don't use Chrome (Score:3)

    by bsdetector101 ( 6345122 ) on Wednesday March 26, 2025 @06:58AM (#65259995)
    Problem solved
  • ... I thought we had un-personed Kaspersky?

    • I understand there is great irony and hypocrisy in US/NATO/Ukr's Russian security policy against a Russian security company that helped an American company fix a security vulnerability attacking Russia from presumably US/NATO/Ukr.

      But perhaps you can explain "un-personed"?

      • Re: (Score:3, Interesting)

        by drinkypoo ( 153816 )

        But perhaps you can explain "un-personed"?

        It's what "conservative" fascists (who believe corporations are people, which is literally the most fascist view possible) say people are doing to them and theirs, while they simultaneously aggressively describe actual humans as less than people in order to try to emotionally and mentally manipulate others into agreeing with their twisted, selfish world view.

        • Corporations were invented during the Roman Empire as a means for a group of people to act as one single legal person. It is the literal definition of the word and has been for the 1500 years it has existed.

          • Corporations were invented during the Roman Empire as a means for a group of people to act as one single legal person. It is the literal definition of the word

            Corporations are not people, and do not need the rights of people. If you think emulating the Roman empire is a good idea, perhaps you should take a look at how and why it ended.

            • Oh, with decadence, rampant sexualization, and an invasion by migrants because they stopped protecting their borders? I have, and it is troubling.

              But to the point, and again, you are arguing against the formal, consistent, and ancient definition of the term. You can dig in your heels and cry about how you don't want it to be so, but the word will still mean what it means.

          • Re: (Score:2)

            by Rujiel ( 1632063 )
            But wasn't it bound to a period of time per proiect rather than being these deathless entities?

            • Even in western law, corporations used to have to justify their existence [context.org] to get a charter, by appealing to the public interest.

              Now your charter can be solely about enhancing shareholder value, and most types of corporation can be founded by mail by any jerkoff with the money and the ability to complete the paperwork.

              • And doing business is in the public interest. For one, it is an interest held by members of the public, and commerce benefits the public.

                Don't put too much stock in that opinion piece you linked. It is an argument, not context. Not a great argument either. A lousy one, really. Hell, it ignores something like 600 years of pre-British history, ignores some major commercial corporations that did exist in the timeframe he begins, conflates Trusts and Corporations as it gets closer to the modern era, and

            • No. In fact, there are many incorporated entities that have existed for a very, very long time. The City of London, for example, was incorporated in 1189. Corporations are not all businesses. They may not even be mostly businesses, but I don't have numbers on it. Pretty much every municipality is incorporated, the 13 colonies that became the United States were incorporated. Churches are incorporated, as are NGOs and charities.

              Before the early 1900's, Trusts were more commonly used for business purp

    • ... I thought we had un-personed Kaspersky?

      And in reply ... various political fulminations, lol!

      Yeah, wow, that sure disproves my point ...

  • I don't know if its still the case - I no longer use chrome - but the chrome sandbox on linux used to have to run with root privs. Which its great until someone finds an exploit in it, then not so much.

    Meanwhile other browsers sensibly just run under the uid of whichever user started the process.

  • No one should be using Kapersky anything. I cannot believe that helped. Trump will probably endorse Kapersky .

Slashdot Top Deals

"Probably the best operating system in the world is the [operating system] made for the PDP-11 by Bell Laboratories." - Ted Nelson, October 1977

Close