|
|
|
|
|
|
by skilled
1008 days ago
|
|
|
> The good news is that Apple and Chrome did an amazing job at responding to this issue with the urgency that it deserves Excuse me? It is Google that assigned this as Chrome only. Over the last 7 days alone every single major Linux distribution has had to push an update (including Red Hat which assigned this a 9.6 score), and Docker images like Python which has over 1 billion pulls, not to mention Puppeteer(hello?), WordPress, Node.js, etc. and CRBug is still private to this day. I am not being condescending but sites like BleepingComputer reported this as they saw it rather than doing any investigation. And the same goes for a lot of security companies that reported on this issue in third person. It’s really difficult to foster trust when you know that the person on the other side hasn’t bothered to do any due diligence. Adam Caudill (1Password was one of the first to patch it) did a nice blog post, “Whose CVE is it anyway?”[0] highlighting the issue I am talking about in my comment. Citizen Lab has refused to comment on whether both are related, but it doesn’t take a genius does it… [0]: https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/ |
|
|
The author mentions that many other systems need to patch as well. However, wow many of those billion Python docker pulls are rendering untrusted WebP images? Same for Node, etc. These should also be promptly patched, but they're not in the same ballpark here as iOS/Android/Chrome.