This Week In Security: Chrome Speech Bug, UDP Fragmentation, And The Big Citrix Vulnerability

A critical security bug was fixed in Chrome recently, CVE-2020-6378. The CVE report is still marked private, as well as the bug report. All we have is “Use-after-free in speech recognizer”. Are we out of luck, trying to learn more about this vulnerability? If you look closely at the private bug report, you’ll notice it’s in the Chromium bug tracker. Chrome is based primarily on the Chromium project, with a few proprietary features added. Since Chromium is open source, we can go find the code change that fixed this bug, and possibly learn more about it.

Off to the Chromium source, mirrored on Github. We could look at every commit, and eventually find the one we’re looking for, but Chromium commit messages usually include a reference to the bug that is fixed by that commit. So, we can use Github’s search function to find a commit that mentions 1018677. Just like that, we’ve found a single commit and more information.

The shutdown mentioned in the commit message is possibly referring to the browser being closed, but could also refer to the tab doing the speech recognizing, or even the speech system itself. Because multiple parts are being unloaded in parallel, there is a race condition between calling the abort object, and that object being unloaded from memory. This race can result in a classic use-after-free, jumping code execution to a memory location that’s already been freed.

All interesting, but how does this warrant a Critical rating? Enter the Web Speech API. I’m speculating just a bit, but it’s likely that this API uses the speech recognizer code in question. It may even be interacting with the security prompt that triggers the crash. Imagine that an attacking page attempts to use the speech API, and then releases the API object before the user can respond to the prompt. That *might* be the scenario that was discovered, though we’re deep into speculation, now. Continue reading “This Week In Security: Chrome Speech Bug, UDP Fragmentation, And The Big Citrix Vulnerability”

Hackaday Links: October 24, 2010

Square Gears

This video demonstrates square gears and other oddly shaped cogs. We can’t think of a use but it’s interesting none-the-less. [via Tinkernology]

Cooking with Lasers

It’s late and you’ve been at the workbench for quite some time. But why go to the kitchen for a snack? Grab a couple of 1 watt lasers, hot glue a kernel of corn to a DC motor, and you’ll have popcorn in no time.

Calling this a simulator just doesn’t do it justice

Okay, so this link is a Lexus commercial. But it’s worth watching to see the footage of this driving simulator. Inside that pod is an actual automobile surrounded by a 360 degree screen. The room has a full x and y axis to move the pod (and the car) as you drive through the simulated world. It’s like someone gave a bunch of geeks an unlimited budget and say “go nuts”. [Thanks Luke]

What takes the most time in your hacking adventures?

Everyone whose spent some time in web design has run across the peculiar rendering bugs and workarounds associated with Internet Explorer. Internet Explorer Stole My Life aims to tabulate the collective time wasted from the lives of developers. We think it’s hilarious because spending the same amount of time meeting W3C standards and this problem would go away. But [Caleb] mentioned something interesting when he saw this site: What part of your hacking adventures wastes the most time? We’d love to hear about it in the comments.