Previous discussion: https://news.ycombinator.com/item?id=21425804

Was already patched on Oct 31 https://chromereleases.googleblog.com/2019/10/stable-channel...

I would suggest we put the date in these kind of 0 day titles. Nov 4 in this case...

Why would cybercriminals not just report the bug and pick up the cash from Google? Is it genuinely that much more lucrative to exploit it?

You can only sell to Google once. You can sell it to different exploit houses many times.

But also historically, some places pay in the several hundred thousand compared to tech companies that pay in the tens of thousands. So even if they only sell it once, they can make more.

It isn’t cybercriminals. Cybercriminals pretty much never have top tier 0day. This one is North Korean intelligence, and they get far more value out of it than Google is willing to pay.

>Why would cybercriminals not just report the bug and pick up the cash from Google?

Probably because they're not the ones actually finding the bugs.

The CVE is still embargoed[1] as of the time of this comment. =/

[1] https://nvd.nist.gov/vuln/detail/CVE-2019-13720

I'm assuming this doesn't affect Chromium, or Chromium(-based) browsers on Android then? Seeing as it isn't mentioned.

The article specifically mentions that it was discovered on Windows, but that doesn't mean some variation couldn't exist for other platforms.

I meant more along the lines of: is this a Chrome specific vulnerability or is the vuln apparent in Chromium and thus are all Chromium-based browsers (on any platform) affected?