Zero day exploits targeted versions?

[Asesh Shrestha]

Hi, 

    recently we have been hearing about 0 day exploits actively being exploited in Chrome/Chromium based browsers. But the Google announcement doesn't mention what versions are being targeted by those exploit codes: https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html 

   Is there any information on what versions are being targeted by those exploits? I know older versions of Chromium browsers might be affected by those security holes too but generally it's very difficult to write exploit code for all the affected versions, so they target a specific version of Chrome. I am asking this because the version of Chromium our users use is little behind the latest and stable version of Chromium. The same most likely holds true for other Chromium forks too. So it would be really helpful, if Google could publish the versions that are being targeted too.

Thanks

[dan...@chromium.org]

Hi Asesh,

Generally every version of Chrome comes with some sort of bug fixes, and interested parties could be expected to look for those bug fixes in order to find additional vulnerabilities that are exploitable in older versions of Chromium. Thus running an old version of Chromium puts your users at risk far beyond potential 0-days that have been fixed. There's more information on this topic in the Chromium University talk "Life of a Vulnerability". This is why strong guidance is always to keep software up to date with the latest patches, for Chromium or any other software.

Thanks

”This email and any files transmitted with it may be confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender.”

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/243063b3-9bdc-43b5-9dee-abcac8ec1504n%40chromium.org.

[Asesh Shrestha]

I understand whatever you mentioned but it would be better  for Chromium fork developers if Google could list affected versions too, if they are aware of it in the future. Just a suggestion to Google when mentioning about 0-day exploits in the published notes.

Thanks

[Joe Mason]

Developers of Chromium forks can request access as described at https://www.chromium.org/Home/chromium-security:

Advance notice of (fixed) Chromium security vulnerabilities is restricted to those actively building significantly deployed products based upon Chromium, or including Chromium as part of bundled software distributions. If you meet the criteria, and require advanced notice of vulnerabilities, request access via secu...@chromium.org. Your email should explain your need for access (embedder, Linux distribution, etc.) and your continued access will require that you follow the terms of list membership.

Hope this helps,

Joe 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/354f1043-bb77-4141-b13a-07e2266a24d8n%40chromium.org.