CVE-2022-0609 exists in the wild

Google announces zero-day in Chrome browser - update now!
https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/

On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>
> CVE-2022-0609 exists in the wild
>
> Google announces zero-day in Chrome browser - update now!
> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/

Click the three-button menu and then Help » About Google Chrome. The
patch is in version 98.0.4758.102, so if your version is that or
later then Chrome has already updated itself.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

Stan Brown wrote:
> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>
>> CVE-2022-0609 exists in the wild
>>
>> Google announces zero-day in Chrome browser - update now!
>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>
> Click the three-button menu and then Help » About Google Chrome. The
> patch is in version 98.0.4758.102, so if your version is that or
> later then Chrome has already updated itself.
>

Yes,
98.0.4758.102 was released yesterday(Feb. 14, 2022)
- adressing 11 Security related issues

Chrome Updates were also released for iOS, Android, Beta and Dev Channels.

--
....w¡ñ§±¤ñ

....w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:
> Stan Brown wrote:
> > On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
> >>
> >> CVE-2022-0609 exists in the wild
> >>
> >> Google announces zero-day in Chrome browser - update now!
> >> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
> >
> > Click the three-button menu and then Help » About Google Chrome. The
> > patch is in version 98.0.4758.102, so if your version is that or
> > later then Chrome has already updated itself.
> >

> Yes,
> 98.0.4758.102 was released yesterday(Feb. 14, 2022)
> - adressing 11 Security related issues

> Chrome Updates were also released for iOS, Android, Beta and Dev Channels.

I assume Edge will get this fix too soon.
--
Too much sleep! Early summer is gone, and winter is back? Incoming slammy times. Back to normal again. :(
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
/ /\ /\ \ Please nuke ANT if replying by e-mail.
| |o o| |
\ _ /
( )

On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
<the_stan_brown@fastmail.fm> wrote:

>On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>
>> CVE-2022-0609 exists in the wild
>>
>> Google announces zero-day in Chrome browser - update now!
>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>
>Click the three-button menu and then Help » About Google Chrome. The
>patch is in version 98.0.4758.102, so if your version is that or
>later then Chrome has already updated itself.

I have Chrome installed, although I only rarely use it. It just auto
updated to the version you provided above, but the strange thing is that
it claims to be managed by my organization. I don't have an
organization, so that seems odd.

On 2/15/2022 9:32 PM, Char Jackson wrote:
> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
> <the_stan_brown@fastmail.fm> wrote:
>
>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>>
>>> CVE-2022-0609 exists in the wild
>>>
>>> Google announces zero-day in Chrome browser - update now!
>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>>
>> Click the three-button menu and then Help » About Google Chrome. The
>> patch is in version 98.0.4758.102, so if your version is that or
>> later then Chrome has already updated itself.
>
> I have Chrome installed, although I only rarely use it. It just auto
> updated to the version you provided above, but the strange thing is that
> it claims to be managed by my organization. I don't have an
> organization, so that seems odd.

There are always preferences on a computer, intended for Enterprise application.
If, as a user, you read some web page, conclude "neat, I'm gonna do that",
and mess with one of those settings, later on you'll be going "what
the hell is my organization".

You have to think back what you've adjusted.

For example, I was getting all sorts of "organization this and that" on
a Win10, and I traced that back to a GPEDIT I'd done in a moment of
frustration. Defender was sucking the life out of the computer,
and at the time, was "ignoring" the GUI control for it. So I got
out the hammer and fixed it. But then, forgot to undo the change later...

GPEDIT controls are three-state,

unconfigured
configured, set to logic 1
configured, set to logic 0

You would think the first and third are the same, but they are not.

For Chrome, the most efficient fix, would be to note which page or
feature is displaying the message. Then Google it. I don't
know Chrome well enough, to tell you whether it has a prefs.js
or an about:config or not.

Paul

Ant wrote:
> ...w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:
>> Stan Brown wrote:
>>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>>>
>>>> CVE-2022-0609 exists in the wild
>>>>
>>>> Google announces zero-day in Chrome browser - update now!
>>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>>>
>>> Click the three-button menu and then Help » About Google Chrome. The
>>> patch is in version 98.0.4758.102, so if your version is that or
>>> later then Chrome has already updated itself.
>>>
>
>> Yes,
>> 98.0.4758.102 was released yesterday(Feb. 14, 2022)
>> - adressing 11 Security related issues
>
>> Chrome Updates were also released for iOS, Android, Beta and Dev Channels.
>
> I assume Edge will get this fix too soon.
>
Afaics, MSFT acknowledged the ;0609' Zero-day exploit,working on the patch.
Google for the same vulnerability appears to have only said they are
aware of reports of the vulnerability existing in the wild.

--
....w¡ñ§±¤ñ
msft mvp 2007-2020

Char Jackson wrote:
> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
> <the_stan_brown@fastmail.fm> wrote:
>
>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>>
>>> CVE-2022-0609 exists in the wild
>>>
>>> Google announces zero-day in Chrome browser - update now!
>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>>
>> Click the three-button menu and then Help » About Google Chrome. The
>> patch is in version 98.0.4758.102, so if your version is that or
>> later then Chrome has already updated itself.
>
> I have Chrome installed, although I only rarely use it. It just auto
> updated to the version you provided above, but the strange thing is that
> it claims to be managed by my organization. I don't have an
> organization, so that seems odd.
>
Did you install or one time install the Enterprise version?

<https://support.google.com/chrome/a/answer/9844476?hl=en#zippy=%2Cwindows>

--
....w¡ñ§±¤ñ

In article <2doo0h9flr6tam27ur2qe0e1ab8j4jilrg@4ax.com>,
Char Jackson says...

> it claims to be managed by my organization. I don't have an
> organization, so that seems odd.
>
>
My Chrome says "Your browser is managed"
Do you have any password or cookie manager type extensions installed?

--
Ken

On 15 Feb 2022, Stan Brown <the_stan_brown@fastmail.fm> wrote :

> The
> patch is in version 98.0.4758.102, so if your version is that or
> later then Chrome has already updated itself.

What about the many chrome based browsers?

"Char Jackson" <none@none.invalid> wrote

| I have Chrome installed, although I only rarely use it. It just auto
| updated to the version you provided above, but the strange thing is that
| it claims to be managed by my organization. I don't have an
| organization, so that seems odd.
|

I don't use any Chrome/Chromium browsers, but I get the
same message in Firefox when I install a policies.json file.

IE was designed from the beginning to allow corporate IT
people to override settings. One setting in HKLM would render
the HKCU settings irrelevant. People could set whatever they liked
and it would be ignored. One of the complaints with Netscape
was that it wasn't similarly "enterprise-friendly".

Starting with v. 60, Mozilla began doing a similar thing with
Firefox.

https://github.com/mozilla/policy-templates/blob/master/README.md

As with the IE settings, the change was relatively
secret and complicated. Any employee clever enough to change
settings in prefs (about:config) could be overruled. The way it
works is that you have to create a folder called "distribution" in
the program folder. In that folder you add a file called policies.json.
In policies.json you then add complicated JSON gobbledygook to
do things like block updates. The setting still exists in prefs, but
it no longer has any effect!

If you have a policies.json you'll see a message like you saw.
Presumably Chrome/Edge have an option similar to policies.json,
but I don't know what it is.

On Tue, 15 Feb 2022 20:32:44 -0600, Char Jackson wrote:
>
> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
> <the_stan_brown@fastmail.fm> wrote:
>
> >On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
> >>
> >> CVE-2022-0609 exists in the wild
> >>
> >> Google announces zero-day in Chrome browser - update now!
> >> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
> >
> >Click the three-button menu and then Help » About Google Chrome. The
> >patch is in version 98.0.4758.102, so if your version is that or
> >later then Chrome has already updated itself.
>
> I have Chrome installed, although I only rarely use it. It just auto
> updated to the version you provided above, but the strange thing is that
> it claims to be managed by my organization. I don't have an
> organization, so that seems odd.

I believe you get that if you disable updates by method 2, 3, or 4
from this article:
https://www.webnots.com/7-ways-to-disable-automatic-chrome-update-in-
windows-and-mac/

Obviously you didn't do that, but very possibly it's some other tweak
that you made a long time ago and have forgotten about.

--
Stan Brown, Tehachapi, California, USA https://BrownMath.com/
Shikata ga nai...

On Wed, 16 Feb 2022 00:13:49 -0700, ...w¡ñ§±¤ñ <winstonmvp@gmail.com>
wrote:

>Char Jackson wrote:
>> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
>> <the_stan_brown@fastmail.fm> wrote:
>>
>>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>>>
>>>> CVE-2022-0609 exists in the wild
>>>>
>>>> Google announces zero-day in Chrome browser - update now!
>>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>>>
>>> Click the three-button menu and then Help » About Google Chrome. The
>>> patch is in version 98.0.4758.102, so if your version is that or
>>> later then Chrome has already updated itself.
>>
>> I have Chrome installed, although I only rarely use it. It just auto
>> updated to the version you provided above, but the strange thing is that
>> it claims to be managed by my organization. I don't have an
>> organization, so that seems odd.
>>
>Did you install or one time install the Enterprise version?

No, but the steps at the link below have cleared it up. Chrome no longer
says it's 'managed by your organization'.

I'll try to remember to check it again after a period of time because of
the possibility of malware.

><https://support.google.com/chrome/a/answer/9844476?hl=en#zippy=%2Cwindows>

On Wed, 16 Feb 2022 11:24:41 -0000, Unsteadyken <unsteadyken@gmail.com>
wrote:

>In article <2doo0h9flr6tam27ur2qe0e1ab8j4jilrg@4ax.com>,
>
>Char Jackson says...
>
>> it claims to be managed by my organization. I don't have an
>> organization, so that seems odd.
>>
>>
>My Chrome says "Your browser is managed"
>Do you have any password or cookie manager type extensions installed?

No extensions installed, but the steps from ...winston's link have
worked to remove that message. I'll try to remember to check later to
see if the situation returns.

On Wed, 16 Feb 2022 06:54:13 -0800, Stan Brown
<the_stan_brown@fastmail.fm> wrote:

>On Tue, 15 Feb 2022 20:32:44 -0600, Char Jackson wrote:
>>
>> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
>> <the_stan_brown@fastmail.fm> wrote:
>>
>> >On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>> >>
>> >> CVE-2022-0609 exists in the wild
>> >>
>> >> Google announces zero-day in Chrome browser - update now!
>> >> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>> >
>> >Click the three-button menu and then Help » About Google Chrome. The
>> >patch is in version 98.0.4758.102, so if your version is that or
>> >later then Chrome has already updated itself.
>>
>> I have Chrome installed, although I only rarely use it. It just auto
>> updated to the version you provided above, but the strange thing is that
>> it claims to be managed by my organization. I don't have an
>> organization, so that seems odd.
>
>I believe you get that if you disable updates by method 2, 3, or 4
>from this article:
>https://www.webnots.com/7-ways-to-disable-automatic-chrome-update-in-
>windows-and-mac/
>
>Obviously you didn't do that, but very possibly it's some other tweak
>that you made a long time ago and have forgotten about.

No tweaks or extensions, but ...winston's link worked to remove the
'managed' message.

On 2/16/2022 6:30 AM, Lars Anders wrote:
> On 15 Feb 2022, Stan Brown <the_stan_brown@fastmail.fm> wrote :
>
>> The
>> patch is in version 98.0.4758.102, so if your version is that or
>> later then Chrome has already updated itself.
>
> What about the many chrome based browsers?
>

They'll get around to it, eventually.

Chromium is the head of the tree. Everything else is derivative.
You can actually get and install Chromium for your own self if you want.
(They make this difficult to do, on purpose, but I've installed it here.)
It is different than Google Chrome. Notice how I've drawn MSEdge as
being at the same level as Google.

Chromium (FOSS) ---- Chrome (Google)
---- Microsoft MSEdge New Version
------------------------------------- Opera
----------------------------------------------Brave

Google structured it that way, so the "public" could make
submissions to the FOSS tree. Naturally, a lot of the
submissions to Chromium, come from Google.

That's just a fluffy picture from 60,000 feet, with
no details drawn in on purpose :-)

Maybe the length of the --- means something.

Paul

Char Jackson wrote:
> On Wed, 16 Feb 2022 00:13:49 -0700, ...w¡ñ§±¤ñ <winstonmvp@gmail.com>
> wrote:
>
>> Char Jackson wrote:
>>> On Tue, 15 Feb 2022 14:22:59 -0800, Stan Brown
>>> <the_stan_brown@fastmail.fm> wrote:
>>>
>>>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
>>>>>
>>>>> CVE-2022-0609 exists in the wild
>>>>>
>>>>> Google announces zero-day in Chrome browser - update now!
>>>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
>>>>
>>>> Click the three-button menu and then Help » About Google Chrome. The
>>>> patch is in version 98.0.4758.102, so if your version is that or
>>>> later then Chrome has already updated itself.
>>>
>>> I have Chrome installed, although I only rarely use it. It just auto
>>> updated to the version you provided above, but the strange thing is that
>>> it claims to be managed by my organization. I don't have an
>>> organization, so that seems odd.
>>>
>> Did you install or one time install the Enterprise version?
>
> No, but the steps at the link below have cleared it up. Chrome no longer
> says it's 'managed by your organization'.
>
> I'll try to remember to check it again after a period of time because of
> the possibility of malware.
>
>> <https://support.google.com/chrome/a/answer/9844476?hl=en#zippy=%2Cwindows>
>
Glad to hear the 'clean out' link provided benefit.
- Kudos to friend Arlen for the link(10 yrs at MSFT, 6 at Google, now
at Leidos).

--
....w¡ñ§±¤ñ
msft mvp 2007-2021

....w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:
> Ant wrote:
> > ...w¡ñ§±¤ñ <winstonmvp@gmail.com> wrote:
> >> Stan Brown wrote:
> >>> On Tue, 15 Feb 2022 14:00:16 -0800, gtr wrote:
> >>>>
> >>>> CVE-2022-0609 exists in the wild
> >>>>
> >>>> Google announces zero-day in Chrome browser - update now!
> >>>> https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-chrome-browser-update-now/
> >>>
> >>> Click the three-button menu and then Help » About Google Chrome. The
> >>> patch is in version 98.0.4758.102, so if your version is that or
> >>> later then Chrome has already updated itself.
> >>>
> >
> >> Yes,
> >> 98.0.4758.102 was released yesterday(Feb. 14, 2022)
> >> - adressing 11 Security related issues
> >
> >> Chrome Updates were also released for iOS, Android, Beta and Dev Channels.
> >
> > I assume Edge will get this fix too soon.
> >
> Afaics, MSFT acknowledged the ;0609' Zero-day exploit,working on the patch.
> Google for the same vulnerability appears to have only said they are
> aware of reports of the vulnerability existing in the wild.

It's out now!
--
LA Rams on a slammy(?) hump day. Early summer is gone, and winter came back with hails, lightnings, etc. yesterday. :O
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://aqfl.net & http://antfarm.home.dhs.org.
/ /\ /\ \ Please nuke ANT if replying by e-mail.
| |o o| |
\ _ /
( )

On Wed, 16 Feb 2022 12:08:19 -0500, Paul wrote:

> You can actually get and install Chromium for your own self if you want.

Chrome is here, I think (it says it has the latest security fixes).
<https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html>

Probably safer to install Ungoogled Chromium instead of Chromium though...
<https://sourceforge.net/projects/ungoogled-chromium.mirror/>
<https://github.com/Eloston/ungoogled-chromium>