Home Malware Chrome zero-day, hot on the heels of Microsoft’s IE zero-day. Patch now!...

Chrome zero-day, hot on the heels of Microsoft’s IE zero-day. Patch now! – Naked Security


Microsoft’s Patch Tuesday announcement was bad enough, with six in-the-wild vulnerabilities patched, including one buried in the vestiges of Internet Explorer’s MSHTML web rendering code…

…and it’s been followed by Google’s latest Chrome security advisory, which includes a zero-day patch (CVE-2021-30551) to Chrome’s JavaScript engine amongst its 14 officially listed security fixes.

Like Mozilla, Google also lumps together other potential bugs it has found using generic bug-hunting techniques, listed as “Various fixes from internal audits, fuzzing and other initiatives.

Fuzzing, in case you aren’t familiar with the concept, is an automated technique that probes for bugs by repeatedly confronting the software under test with input that has deliberately been modified to see whether the program chokes on it.

For example, a fuzzer might start with a known-good input file that you would expect to be processed correctly, without triggering any bugs, and progressively make a series of unusual or otherwise unlikely changes in the file, thus testing a program’s error-checking code much more broadly and deeply than hand-crafted files could manage.

Imagine that you had a compressed archive file, for instance, and you wanted to see how safely your decompression code would behave if the file were corrupted during a download, such as if a line-break character were accidentally inserted at some point.

With a fuzzer you could not only test for line-breaks at some points in the file, but at every possible point – and, better yet, you wouldn’t need to store all these slightly-modified input files for later, because you could automatically regenerate them on the fly every time you wanted to repeat the test.

Fuzzers may produce millions or even hundreds of millions of test inputs during a proving run, but only need to store the inputs that cause the program to misbehave, or more importantly to crash, so they can be used later on as time-saving starting points for human bug hunters.

RELATED ARTICLES

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS – E Hacking News

 During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not...

Growing Cyber-Underground Market for Initial-Access Brokers

 Ransomware groups are increasingly purchasing access to corporate networks from "vendors" who have previously placed backdoors on targets. Email is a well-known entry point...

Russian Accused of Helping Kelihos Malware Evade Detection Convicted in U.S.

A Russian national accused of operating online services designed to help malware evade detection by security products was convicted this week in the...
- Advertisment -

Most Popular

Tim Cook Claims Android has 47 Times the Amount of Malware as iOS – E Hacking News

 During a live chat, Apple CEO Tim Cook stated that Android has more malware than iOS and that "sideloading" mobile software is not...

Google Releases New Framework to Prevent Software Supply Chain Attacks

As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing...

Can on-prem security experts make the move to the cloud?

As cloud computing grows in popularity across all use cases, cloud workloads have never been...

73% of enterprises suffer security and compliance issues due to internal misalignment

According to Enterprise Management Associates (EMA) and BlueCat’s recently published research report, nearly 3 in...

Recent Comments