joshuark writes: Microsoft found a bug in ChromeOS and gave it a high vulnerability rating of 9.8 out of 10. The bug was immediately patched and about a month later merged into the ChromeOS code released on June 15, 2022. This is a reversal of how Google usually finds security bugs in software from Microsoft and other vendors typically after 90 days — even if a patch hasn’t been released — in the interest of forcing companies to respond to security flaws more quickly. […] The ChromeOS memory corruption vulnerability — CVE-2022-2587 — was particularly severe. As Jonathan Barr Orr, a member of the Microsoft 365 Defender research team, explains in his post, the issue is caused by the use of D-Bus, the inter-process communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides the ability to route audio to newly added peripherals such as USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity that takes as input a string argument called identity. And the C code of the function calls strcpy in the standard library. Yes, strcpy is an unsafe function.
Read more of this story on Slashdot.