
Chrome 0-day exploit used in Operation WizardOpium - Arubis
https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/
======
jbk
I know this is a bit a pet peeve of mine, (and not a very popular opinion) but
I think the browsers are doing too much, and WebAudio is a very good example
of that.

Instead of standardizing something low-level to input/output audio and query
the hardware, like an OS; it standardizes soooo many things and filters,
including downmixers, panners, quadfilters and Convolution (for reverbs);
which is where the issue is in this exploit.

The resulting complexity is huge, almost impossible to implement correctly in
a cross-browser way, and a lot more code in C/C++ is written.

I do advocate simpler APIs for audio, low-level, and let JS or Wasm do the
filtering, using the JS sandboxing model.

And, of course, this does not apply only to WebAudio, but I think WebAudio is
a good symptom.

~~~
est31
wasm is only a new phenomenon and those APIs were designed without wasm in
mind. Note that wasm is also slower and thus more resource (battery) consuming
than a native C++ implementation. Also, Chrome is already adding audioworklets
to WebAudio so it will become customizeable. Last but not least, browsers are
at least a central place that can be patched. Compare this to a possible
future where vulnerable wasm libraries are being used in web apps, allowing
third parties to run cross site wasm based exploits. Websites can't even
switch off sms based 2fA, would you expect them to keep their wasm libraries
up to date?

~~~
baybal2
Long story short, WASM must be removed from browsers before it reaches wider
adoption. And along with other completely unneeded APIs.

Parties opposing that must be expelled from standard bodies.

P.S. Just look at completely outrageous effort to push payment APIs into the
browser and stuff they want to bundle along
[https://www.w3.org/2019/09/15-wpwg-
minutes.html](https://www.w3.org/2019/09/15-wpwg-minutes.html)

~~~
pjc50
Those are two genuinely useful things, without the hardware API issues of the
others.

------
willtim
> "The exploit used a race condition bug between two threads due to missing
> proper synchronization between them. It gives an attacker a Use-After-Free
> (UaF) condition that is very dangerous because it can lead to code execution
> scenarios"

This is why C++ needs to be retired; and why we need to use safer languages.
Not even Google can write safe C++. Thankfully Mozilla have already realised
this.

~~~
zozbot234
> This is why C++ needs to be retired; and why we need to use safer languages.

These problems can easily happen in a language like Go, unfortunately. Go is
memory safe for sequential code, but that guarantee does not extend to in-
process concurrency - Goroutines can access shared state without
synchronization, and create memory unsafety.

~~~
nicoburns
But not in Rust. Go isn't exactly a bastion of safety. It's memory safe due to
the GC, but it has a weak type system, so logic bugs are not well guarded
against.

~~~
zozbot234
> It's memory safe due to the GC

That gets debatable as soon as you start using concurrency, like I said. There
are _idiomatic_ patterns in concurrent Go that are very much _not_ safe.

~~~
MaxBarraclough
What do you mean?

It has a GC, right? So use-after-free is impossible, no?

------
Jyaif
Funnily enough, looks like the vulnerability was introduced by a (korean?)
samsung engineer.

fix: [https://chromium-
review.googlesource.com/c/chromium/src/+/18...](https://chromium-
review.googlesource.com/c/chromium/src/+/1888103)

git blame:
[https://chromium.googlesource.com/chromium/src.git/+/e1fa6d4...](https://chromium.googlesource.com/chromium/src.git/+/e1fa6d40966b5eb966feeed6fbe18675e819ff6d%5E%21/#F1)

~~~
ChrisCinelli
What a coincidence! =)

------
avian
Operation WizardOpium, Lazarus attacks, DarkHotel, ... The executive summary
reads like something out of a Charles Stross novel.

~~~
m00dy
okay, I busted out loud at this one :)

------
sanbor
This is why I started disabling js by default using ublock origin. I whitelist
the websites that I'm interested in but at least I avoid a lots of exploits
that requires js. This is in case if I'm unlucky and I land in one of those
websites with malicious js. I discovered duckduckgo doesn't block websites as
eagerly as Google and landed in a few tricky places.

~~~
dmos62
If you want Google Search without Google, there's Startpage. It acts as a
proxy between you and Google, protecting your privacy. I've been using it
exclusively for maybe two years now. I am a bit upset at not supporting the
more involved privacy-friendly projects, like DuckDuckGo or others (there are
a quite a few); but, Startpage gives me the right mix of privacy, efficiency
and social awareness at the moment.

~~~
hellcow
Startpage was recently acquired by an ad company.

[https://www.reddit.com/r/privacy/comments/di5rn3/startpage_i...](https://www.reddit.com/r/privacy/comments/di5rn3/startpage_is_now_owned_by_an_advertising_company/)

~~~
dmos62
Wow. Thanks for the heads up.

------
dstaley
I wonder if this exploit would be possible if Chrome was packaged using the
UWP Desktop Bridge on Windows 10. I doubt the sandbox prevents UAF, but surely
it would have prevented executing an EXE file.

~~~
panpanna
I wonder the same thing with Linux contained executables, such as snap.

(not sure if chrome is available as an official snap)

~~~
dstaley
It's my understanding that this particular exploit only targeted Windows, but
the underlying UAF vulnerability affected all Chrome variants.

------
londons_explore
The attack code wasn't in an advert, suggesting the Korean news organisation
had either previously been attacked, or had an insider plant this code.

~~~
bureaucrat
This attack was done by North Koreans. The site is a North Korean propaganda
advertising site, which is visited a lot by South Korean researchers.

~~~
dmix
That would explain the strange/weak infrastructure and the economic targets in
APAC.

------
tekni5
Is there anyway to test this on other chrome based browsers?

For example current version of Iridium is 2019.04.73.0(based on Chromium
73.0.3683.103), it doesn't get updated that often but a useful and stable
browser.

Anyway to mitigate this exploit via any setting or extension?

~~~
0xdeadb00f
I'll also ask is Chromium affected? And does that mean Chrome-based browsers
on Android are affected too?

------
londons_explore
Attacking a Korean news website hey? I wonder who might want to do that...

~~~
newguy1234
Just some guy named Kenneth Osborne probably.

------
euph0ria
How can I know if I was infected and what can I do about it?

~~~
NullPrefix
You should follow the same procedure as you do for any other, disclosed or
undisclosed, infections and vulnerabilities.

~~~
euph0ria
Please let us know what your procedure is?

~~~
ianai
It’s checking for chrome versions below the current, 78, so update to that.
You also have to be on Windows. On windows, make sure you have your antivirus
setup to block random executables from download and execution. I’d also block
those hosts at the firewall and dns. It gets more complicated from there if
you’re infected. But you probably aren’t.

Edit-just realized you actually asked for how to tell if you were infected.
Check the windows task scheduler for unknown tasks. It installs items there
for persistence. Edit-search your history and hard drive for “behindcorona”
domains. That’s where it loads things from. There are more specifics in the
page.

------
yread
That analysis must have taken quite a while. Wasn't there any way to notify
people earlier

~~~
Evanbenn
The analysis was posted when the fix was deployed.

------
piiwebtech
7th habit of Highly Effective People being to continuously Be Proactive

[http://franklincoveysouthasia.com/TrainingConsulting/Trainin...](http://franklincoveysouthasia.com/TrainingConsulting/TrainingCurriculums/the7habitssolutions/)

------
bureaucrat
CVE no. was created in July. I wonder whether the fix took that long.

~~~
tambre
CVEs are typically reserved in blocks by big organizations.

------
anovikov
Tragedy of our generation is that people who are so smart and determined to
find and exploit these vulnerabilities, can't find better uses for their
talents.

~~~
ethanwillis
Or maybe society isn't providing them an accessible application for their
talents.

~~~
malux85
Don't improve the product, just find dumber customers!

Don’t lose weight, just buy bigger trousers!

Don’t take personal responsibility, just blame society!

~~~
petra
Of course it's both.

Personal responsibility is important. And even if you're bored, there are
things to do other than hacking.

But working mind-numbing jobs , way below one's skills and talents happens to
such a large share of people.

Maybe it's a sign to a problem with society ?

------
lovelearning
As I understand these RCEs (in general; perhaps not this particular one), a
frequent root cause seems to be saving instruction pointer on the stack
adjacent to untrustworthy data which may have propagated down the call chain.
Are there no initiatives being attempted to change this convention? Like not
save the IP on the stack? Perhaps at the CPU architecture level or at the
compiler level?

~~~
cjbprime
There are already many modern mitigations present to defeat the kind of stack
overflow control of the instruction pointer that you're imagining -- stack
canaries, DEP, ASLR, NX, and others.

Simply gaining control of the instruction pointer through a stack overflow as
you describe stopped working a decade or so ago due to these mitigations.

~~~
saagarjha
DEP and NX are essentially the same thing, FYI.

------
dajohnson89
this only affects windows users, right?

------
kerng
Well, Chrome is indeed the new Internet Explorer. A new favorite target for
threat actors.

~~~
panpanna
After one 0-day?

~~~
stinos
This wasn't literally the first one I think?

~~~
svenfaw
Far from it. Here's an older one this year:
[https://chromereleases.googleblog.com/2019/03/stable-
channel...](https://chromereleases.googleblog.com/2019/03/stable-channel-
update-for-desktop.html?m=1)

~~~
staticassertion
"Far from it", as you link to literally the only other case.

