Mathwiz Posted Sunday at 08:00 PM Posted Sunday at 08:00 PM 3 hours ago, Karla Sleutel said: Isn't the minimum requirement chromium 138? Version 138 is required for the fix; the bug goes back earlier though: Quote Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. 7 hours ago, EliraFriesnan said: Initial release September 2, 2008 Good catch. Google is being tight-lipped on exactly when this vulnerability crept in. I doubt it goes all the way back to 2008, though. Today's V8 looks nothing like the original. I believe (and should have said) versions prior to the V8 optimizer are not vulnerable. I suspect 360EE (and Kafan MiniBrowser) aren't vulnerable because the option to turn off the optimizer isn't there (presumably because there's nothing to turn off), but I can't be sure with the limited info we have.
Karla Sleutel Posted Monday at 01:58 AM Posted Monday at 01:58 AM 16 hours ago, Mathwiz said: Version 138 is required for the fix; the bug goes back earlier though That was clear, but from what they tell, looks like the patch is intended to be applied only to 138+. Who would write a patch for the old 132, while we are at 140+ already?
Mathwiz Posted Monday at 02:51 AM Posted Monday at 02:51 AM You are right. You need version 138 or above to get the patch. If folks don't want to update, the patch is unavailable to them. For those folks, the only safe option is to turn off the V8 optimizer as described previously. I suppose, in theory, someone skilled in building Chromium could apply the patch to earlier versions, but I can't imagine anyone would do so, unless there were a very popular old version that many folks were reluctant to update from.
Dave-H Posted Monday at 10:14 AM Posted Monday at 10:14 AM So has Win32ss engineered the patch for Supermium, even though it's only at Chromium 132? It is based on the ESR version, which should surely be able to have the patch applied? 1
j7n Posted 16 hours ago Posted 16 hours ago So it can read memory from Supermium itself right, not crash other programs by writing to their memory? I'd be more worried if it could crash my PC since I run as administrator. Could one really make a gain out of this reliably? Memory addresses change.
Karla Sleutel Posted 9 hours ago Posted 9 hours ago (edited) 18 hours ago, j7n said: So it can read memory from Supermium itself right, not crash other programs by writing to their memory? I'd be more worried if it could crash my PC since I run as administrator. Could one really make a gain out of this reliably? Memory addresses change. Then it's a good idea to use the patched ungoogled for Server 2008 R2. No one knows and no one can guarantee how good and when the old 132 Supermium will (ever?) be patched for that serious vulnerability. https://github.com/e3kskoy7wqk/Chromium-for-windows-7/releases/tag/ungoogled-chromium_138.0.7204.96 Edit/ They say it's been patched in R5. But in the article they say the patch is for 138+! Contradictory. https://github.com/win32ss/supermium/releases/tag/v132-r5 Edited 9 hours ago by Karla Sleutel 2
Dave-H Posted 5 hours ago Posted 5 hours ago I think we have to take Shane's word for it that the patch has been applied to Supermium 132. As I said earlier, it's an ESR version, which surely should be capable of having the patch applied to it, as it should be fully supported until the next ESR version is released. I'm not sure how we can test whether the patch has been applied successfully or not. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now