ProHoster > Блог > labaran intanet > Rashin lahani na kwanaki 0 ​​a cikin Chrome ya bayyana ta hanyar nazarin canje-canje a cikin injin V8

Rashin lahani na kwanaki 0 ​​a cikin Chrome ya bayyana ta hanyar nazarin canje-canje a cikin injin V8

Masu bincike daga Fitowa Intelligence sun nuna wani maƙasudi mai rauni a cikin aiwatar da gyara lahani a cikin lambar Chrome/Chromium. Matsalar ta samo asali ne daga gaskiyar cewa Google ya bayyana cewa canje-canjen da aka yi suna da alaka da batutuwan tsaro kawai bayan an saki, amma
yana ƙara lamba zuwa ma'ajiyar don gyara lahani a cikin injin V8 kafin a buga sakin. Na ɗan lokaci, ana gwada gyare-gyaren kuma taga ya bayyana lokacin da raunin ya zama ƙayyadaddun a cikin tushen lambar kuma yana samuwa don bincike, amma raunin ya kasance ba a daidaita shi akan tsarin mai amfani ba.

Yayin da suke nazarin canje-canjen da aka yi a wurin ajiyar, masu bincike sun lura da wani abu da aka kara a ranar 19 ga Fabrairu gyara kuma cikin kwanaki uku suka iya shiryawa amfani, yana shafar abubuwan da aka saki na Chrome na yanzu (amfanin da aka buga bai haɗa da abubuwan da za a keɓance keɓance akwatin yashi ba). Google da sauri saki Chrome 80.0.3987.122 sabuntawa, gyara abin da aka tsara rauni (CVE-2020-6418). Injiniyoyin Google ne suka gano raunin tun asali kuma suna faruwa ne ta hanyar matsala ta nau'in sarrafa a cikin aikin JSCreate, wanda za'a iya amfani da shi ta hanyar Array.pop ko Array.prototype.pop. Abin lura da cewa an sami irin wannan matsala gyarawa a cikin Firefox lokacin rani na ƙarshe.

Masu binciken sun kuma lura da sauƙin ƙirƙirar abubuwan amfani saboda haɗawa da Chrome 80 inji marufi na alamu (maimakon adana cikakken ƙimar 64-bit, ƙananan ƙananan raƙuman maƙasudin kawai ana adana su, waɗanda zasu iya rage yawan amfani da ƙwaƙwalwar ajiya). Misali, wasu sifofi na manyan bayanai kamar ginannen tebur na aiki, abubuwan mahallin na asali, da tushen abubuwa Yanzu an keɓe mai tara shara zuwa adiresoshin da za a iya faɗi da kuma rubuce rubuce.

Abin sha'awa, kusan shekara guda da ta gabata Fitowa Intelligence ya kasance yi irin wannan nuni na yuwuwar ƙirƙirar fa'ida bisa nazarin littafin gyare-gyare na jama'a a cikin V8, amma, a fili, ba a bi matakan da suka dace ba. A wurin masu bincike
Fitowa Intelligence na iya zama maharan ko hukumomin leken asiri waɗanda, lokacin ƙirƙirar cin zarafi, za su sami damar yin amfani da rauni a asirce na kwanaki ko ma makonni kafin a samar da sakin Chrome na gaba.

source: budenet.ru

Add a comment