For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More
The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.
Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites.
“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.
“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”
The address bar spoofing vulnerabilities and affected mobile browsers
Unlike desktop browsers, mobile browsers are not great at showing security indicators that might point to a site’s malicious nature. In fact, pretty much the only consistent indicator is the address bar (i.e. a suspicious-looking URL in it).
So if the attacker is able to spoof the URL and show the one the user expects – for example, apple.com for a phishing site that impersonates Apple – chances are good the user will enter their login credentials into it. The vulnerabilities discovered by Baloch permit exactly that, and affect the:
- UC Browser, Opera Mini, Yandex Browser and RITS Browser for Android
- Opera Touch, Bolt Browser and Safari for iOS
“By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”
Fixes for some, not for others
As 60+ days have passed since the vendors were appraised of the existence of the flaws, Baloch released some details and several PoC exploits.
In the meantime:
- Apple and Yandex pushed out fixes
- Opera released security updates for Opera Touch and is expected to do the same for Opera Mini in early November
- Raise IT Solutions planned to release a fix for the RITS Browser this week, but hasn’t yet
- UCWeb (the creators of the UC Browser) haven’t responded to the report, and it’s doubtful whether the creator of the Bolt Browser knowns about the vulnerabilities, as they haven’t been able to contact him (disclosure notification bounced when sent to the support email listed)
Users should implement the offered updates (if they don’t have the “auto-update” option switched on). Those who use browsers that still don’t have fixes available might want to consider switching to a browser that’s more actively developed/patched.
But all should be extra careful when thinking about clicking on links received via text or email from unknown sources. These flaws have been remediated, but other similar ones will surely be discovered in the future – let’s just hope it’s by researchers, and not attackers.
Google aims to improve security of browser engines, third-party Android devices and apps on Google Play
Researchers must also bear the costs of fuzzing in advance, even though there’s a possibility their approach may not discover any bugs or if it does, that they’ll receive a reward for finding them. This fact might deter many of them and, consequently, bugs stay unfixed and exploitable for longer.
That’s why Google is offering $5,000 research grants in the form of Google Compute Engine credits.
Helping third parties in the Android ecosystem
The company is also set on improving the security of the Android ecosystem, and to that point it’s launching the Android Partner Vulnerability Initiative (APVI).
“Until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP (Android Open Source Project) code that are unique to a much smaller set of specific Android OEMs,” the company explained.
“The APVI […] covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).”
Already discovered issues and those yet to be unearthed have been/will be shared through this bug tracker.
Simultaneously, the company has is looking for a Security Engineering Manager in Android Security that will, among other things, lead a team that “will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers.”
Browsing histories can be used to compile unique browsing profiles, which can be used to track users, Mozilla researchers have confirmed.
There are also many third parties pervasive enough to gather web histories sufficient to leverage browsing history as an identifier.
This is not the first time that researchers have demonstrated that browsing profiles are distinctive and stable enough to be used as identifiers.
Sarah Bird, Ilana Segall and Martin Lopatka were spurred to reproduce the results set forth in a 2012 paper by Lukasz Olejnik, Claude Castelluccia, and Artur Janc, by using more refined data, and they’ve extend that work to detail the privacy risk posed by the aggregation of browsing histories.
The Mozillians collected browsing data from ~52,000 Firefox for 7 calendar days, then paused for 7 days, and then resumed for an additional 7 days. After analyzing the collected data, they identified 48,919 distinct browsing profiles, of which 99% are unique. (The original paper observed a set of ~400,000 web history profiles, of which 94% were unique.)
“High uniqueness holds even when histories are truncated to just 100 top sites. We then find that for users who visited 50 or more distinct domains in the two-week data collection period, ~50% can be reidentified using the top 10k sites. Reidentifiability rose to over 80% for users that browsed 150 or more distinct domains,” they noted.
The also confirmed that browsing history profiles are stable through time – a second prerequisite for these profiles being repeatedly tied to specific users/consumers and used for online tracking.
“Our reidentifiability rates in a pool of 1,766 were below 10% for 100 sites despite a >90% profile uniqueness across datasets, but increased to ~80% when we consider 10,000 sites,” they added.
Finally, some corporate entities like Alphabet (Google) and Facebook are able to observe the web to an even greater extent that when the research for the 2012 paper was conducted, which may allow them to gain deep visibility into browsing activity and use that visibility for effective online tracking – even if users use different devices to browse the internet.
Other recent research has shown that anonymization of browsing patterns/profile through generalization does not sufficiently protect users’ anonymity.
Regulation is needed
Privacy researcher Lukasz Olejnik, one of the authors of the 2012 paper, noted that the findings of this newest research are a welcome confirmation that web browsing histories are personal data that can reveal insight about the user or be used to track users.
“In some ways, browsing history resemble biometric-like data due to their uniqueness and stability,” he commented, and pointed out that, since this data allows the singling-out of individuals out of many, it automatically comes under the General Data Protection Regulation (GDPR).
“Web browsing histories are private data, and in certain contexts, they are personal data. Now the state of the art in research indicates this. Technology should follow. So too should the regulations and standards in the data processing. As well as enforcement,” he concluded.
NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.
- Phishing protection rates ranged from 79.2% to 95.5%
- For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
- Protection improved over time; the most consistent products provided the best protection against phishing and malware.
Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.
Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.
In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.
Protecting against malware and phishing
The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.
To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.
“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.
- Google Chrome – version 81.0.4044.113 – 81.0.4044.138
- Microsoft Edge – version 83.0.478.10 – 84.0.516.1
- Mozilla Firefox – version 75.0 – 76.0.1
- Opera – version 67.0.3575.137 – 68.0.3618.125
Tracking of our browsing behavior is part of the daily routine of internet use. Companies use it to adapt ads to the personal needs of potential clients or to measure their range. Many providers of tracking services advertise secure data protection by generalizing datasets and anonymizing data in this way.
Tracking services collect large amounts of data of internet users. These data include the websites accessed, but also information on the end devices used, the time of access (timestamp) or location information.
“As these data are highly sensitive and have a high personal reference, many companies use generalization to apparently anonymize them and to bypass data security regulations,” says Professor Thorsten Strufe, Head of the “Practical IT Security” Research Group of KIT.
By means of generalization, the level of detailing of the information is reduced, such that an identification of individuals is supposed to be impossible. For example, location information is restricted to the region, the time of access is limited to the day, or the IP address is shortened by some figures.
Strufe, together with his team and colleagues of TUD, have now studied whether this method really allows no conclusions to be drawn with respect to the individual.
With the help of a large volume of metadata of German websites with 66 million users and over 2 billion page views, the computer scientists succeeded in not only drawing conclusions with respect to the websites accessed, but also with respect to the chains of page views, the so-called click traces. The data were made available by INFOnline, an institution measuring the data range in Germany.
The course of page views is of high importance
“To test the effectiveness of generalization, we analyzed two application scenarios,” Strufe says. “First, we checked all click traces for uniqueness. If a click trace, that is the course of several successive page views, can be distinguished clearly from others, it is no longer anonymous.”
It was found that information on the website accessed and the browser used has to be removed completely from the data to prevent conclusions to be drawn with respect to persons.
“The data will only become anonymous, when the sequences of single clicks are shortened, which means that they are stored without any context, or when all information, except for the timestamp, is removed,” Strufe says.
“Even if the domain, the allocation to a subject, such as politics or sports, and the time are stored on a daily basis only, 35 to 40 percent of the data can be assigned to individuals.” For this scenario, the researchers found that generalization does not correspond to the definition of anonymity.
A few observations are sufficient to identify user profiles
In addition, the researchers checked whether even subsets of a click trace allow conclusions to be drawn with respect to individuals.
“We linked the generalized information from the database to other observations, such as links shared on social media or in chats. If, for example, the time is generalized precisely to the minute, one observation is sufficient to clearly assign 20 percent of the click traces to a person,” says Clemens Deusser, doctoral researcher of Strufe’s team, who was largely involved in the study.
“Another two observations increase the success to more than 50 percent. Then, it is easily obvious from the database which other websites were accessed by the person and which contents were viewed.” Even if the timestamp is stored with the precision of a day, only five additional observations are needed to identify the person.
“Our results suggest that simple generalization is not suited for effectively anonymizing web tracking data. The data remain sharp to the person and anonymization is ineffective. To reach effective data protection, methods extending far beyond have to be applied, such as noise by the random insertion of minor misobservations into the data,” Strufe recommends.
Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues.
Chrome 83: New and improved security and privacy features
The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites.
“Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained.
“Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc.) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account.”
A new Safety Check option allows users to scan their Chrome installation and show whether the browser is up to date, whether the Safe Browsing service is on, whether potentially harmful extensions have been installed, and whether any of the passwords the user uses has been compromised in a known breach.
New cookie controls and settings – from now on, users will be able to delete cookies on a per-site basis and block third-party cookies while using Chrome’s Incognito mode (aka “private browsing” mode).
Secure DNS – build on top of the DNS-over-HTTPS (DoH) protocol.
“When you access a website, your browser first needs to determine which server is hosting it, using a step known as a ‘DNS (Domain Name System) lookup.’ Chrome’s Secure DNS feature uses DNS-over-HTTPS to encrypt this step, thereby helping prevent attackers from observing what sites you visit or sending you to phishing websites,” Google noted.
“By default, Chrome will automatically upgrade you to DNS-over-HTTPS if your current service provider supports it. You can also configure a different secure DNS provider in the Advanced security section, or disable the feature altogether.”
Some features have already been rolled out, others will be made available to desktop Chrome users in upcoming weeks.
Bad bot traffic has increased compared to previous years, comprising almost one quarter (24.1%) of all website traffic and most heavily impacting the financial services industry, according to Imperva.
Bad bot traffic increases to highest levels ever
In 2019, bad bot traffic comprised 24.1% of all website traffic, rising 18.1% from the year prior. Good bot traffic consisted of 13.1% of traffic—a 25.1% decrease from 2018—while 62.8% of all website traffic came from humans.
Financial services industry hit hardest by bad bots
Every industry has a unique bot problem ranging from account takeover attacks and credential stuffing to content and price scraping. The top 5 industries with the most bad bot traffic include financial services (47.7%), education (45.7%), IT and services (45.1%), marketplaces (39.8%), and government (37.5%).
Moderate to sophisticated bad bots make up almost three quarters of bad bot traffic
Advanced persistent bots (APBs) continue to plague websites and often avoid detection by cycling through random IP addresses, entering through anonymous proxies, changing their identities, and mimicking human behavior. In 2019, 73.7% of bad bot traffic was APBs.
More than half of bad bots claim to be Google Chrome
Continuing to follow browser popularity trends, bad bots impersonated the Chrome browser 55.4% of the time. The use of data centers reduced again in 2019, accounting for 70% of bad bot traffic—down from 73.6% in 2018.
For the third year in a row, the most blocked country is Russia
In 2019, 21.1% of country blocks were Russia, followed closely by China at 19%. Despite this, with most bad bot traffic emanating from data centers, the United States remains the “bad bot superpower” with 45.9% of attacks coming from the country.
“We closely monitor how malicious bots iterate to evade detection and commit a wide range of attacks, and this year’s findings have revealed the next evolution: Bad Bots as-a-Service,” said Kunal Anand, CTO at Imperva.
“Bad Bots as-a-Service is an attempt by bot operators to legitimize their role and appeal to organizations facing increased pressure to stay ahead of competition. It’s critical that businesses spanning all industries learn which threats are most pervasive in their field and take the necessary steps to protect themselves.”
Bad bots interact with applications in the same way a legitimate user would, making them harder to detect and prevent. They enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities.
Such activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, spam, transaction fraud, and more.
Avast has released an Android version of Avast Secure Browser to extend its platform support beyond Windows and Mac on desktop to mobile.
Avast Secure Browser for Android
Avast Secure Browser for Android was developed following Avast’s 2019 acquisition of Tenta, a private browser backed by Blockchain pioneers ConsenSys, and has been built from the ground up by privacy and cybersecurity engineers focused on total encryption.
At its core is strong encryption including AES-256, ChaCha 256-bit, and the latest TLS/SSL cryptographic protocols for the data transport layer. To ensure that user DNS requests are kept private and secure, Avast Secure Browser for Android supports multiple DNS options straight out of the box, such as DNS over TLS, DNSSEC and decentralized DNS support.
Security and privacy features
Additional built-in security and privacy features available with Avast Secure Browser for Android include:
- A VPN that encrypts all inbound and outbound connections to the VPN location
- A user PIN code for device access that is never stored on any server nor on the device itself
- Anti-tracking technologies used to prevent websites, advertisers and other web services from tracking online activity
- Adblock integration to improve website load time
- An encrypted media vault.
“Our goal is to be the first all-in-one browser to secure our users’ privacy along with a frictionless secure browsing experience. Adding support for mobile is another milestone in our journey towards this long-term goal,” said Scott Curtiss, VP and General Manager of Avast Secure Browser.
Mobile threats increase
In early March, Avast Threat Lab researchers found that the increasing use of mobile devices around the globe is fueling the growth of mobile-related malware. To date, 131 COVID-19 related apps have been detected as malicious through Avast’s apklab.io platform as cybercriminals look to exploit the pandemic using social engineering tactics.
According to statistics gathered by the Avast researchers between October and December 2019, adware (software that hijacks user devices to spam them with malicious ads) is responsible for 72% of mobile malware, with the remaining 28% of threats linked to banking trojans, fake apps, lockers and downloaders.
“There is still a perception among many consumers that on mobile, internet and browser-based threats do not exist,” said Curtiss. “This is not the case. Mobile is a lucrative platform for cybercriminals because of its majority market share versus desktop and higher levels of internet traffic. In the past 12 months, we’ve seen adware rise by 38% on Android.”
Later this year, the mobile version of Avast Secure Browser will be made available on iOS. Avast Secure Browser is currently compatible with Windows 10, 8 and 7, Android and macOS.
A powerful new approach to securing web browsers is getting its first real-world application in the Firefox browser.
Developed by a team of researchers from The University of Texas at Austin, the University of California San Diego, Stanford University and Mozilla, the approach shifts some of the browser code into “secure sandboxes” that prevent malicious code from taking over the user’s computer.
The new approach is now part of a test release of the Firefox browser for the Linux operating system and could be available on Windows and MacOS platforms within a few months.
How does it work?
Web browsers use libraries of code to do common activities — such as rendering media files including photos, videos and audio — but these libraries often have unreported bugs that can be exploited by hackers to take control of a computer.
“Modern browsers are the nightmare scenario for security,” said Hovav Shacham, professor of computer science at UT Austin and co-author of a related paper accepted for presentation at a computer security conference to be held this August.
“They have every feature imaginable. The more features you have, the more bugs there are. And the more bugs there are, the more chances an attacker has to compromise people’s devices. Attackers love attacking browsers, and they really understand how to do it.”
To prevent hackers from exploiting these vulnerabilities, the researchers are adapting WebAssembly, a security mechanism originally designed to speed up web applications that run within a browser while keeping those applications within “secure sandboxes” that prevent malicious code from taking over the user’s computer.
Applications that take advantage of WebAssembly include games and apps that perform music streaming, video editing, encryption and image recognition. In the researchers’ new approach, some of the browser’s own internal components — those responsible for the decoding of media files — would be shifted into WebAssembly sandboxes.
Full release versions are expected
The new approach will initially be applied to a test version of Firefox for the Linux operating system and will secure just one rendering library used for certain fonts.
Assuming the initial tests go well, the team expects the approach will be gradually expanded to include stable, full release versions of the browser on all major operating systems. They also anticipate future expansion will include other components involved in rendering media files.
“If the initial tests go well, then Firefox could apply this to all the image, video and audio formats that the browser supports,” Shacham said. “The hope is that at some point, bugs in all of those libraries become useless for hacking Firefox. And if that happens, then user security would be greatly improved.”
Over time, as more parts of the browser get these improvements and are incorporated into versions on more operating systems, it could improve security for millions of users worldwide. There are roughly 250 million monthly active users of the Firefox browser on desktop computers.
“Defects happen,” said Eric Rescorla, Firefox CTO at Mozilla. “To keep our users secure on the internet, we need to ensure that a single programming error cannot easily compromise the browser. To date the industry’s approach to this problem has been very coarse-grained, which limits its effectiveness. We’re very excited to bring the new level of isolation provided by RLBox to our users.”
You can read more about this project from Mozilla’s Hacks Blog.
ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674).
Remote code execution vulnerability affecting IE
Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”.
Flagged by researchers from Qihoo 360 and Google’s Threat Analysis Group, the flaw has been filed under CVE-2020-0674, but no fix was released.
“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company explained, and offered information on mitigations and a temporary workaround.
Microsoft advised admins to implement the offered mitigation steps only if there is indication that the systems they are administrating are under elevated risk.
“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected,” the company pointed out.
Also, the workaround changes the ownership of the vulnerable JScript.dll, which has to be reverted again when the workaround is undone (before patching).
“This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser,” explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.
Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround (restricts access to the vulnerable JScript.dll) without its negative side effects (reduced functionality for components or features that rely on that particular .dll).
The company has ported the micropatch to Windows 7, Windows 10, Windows Server 2008 R2 and Windows Server 2019 (both 32-bit and 64-bit).
Those who already use 0patch can implement the micropatch immediately and remove it easily when Microsoft finally provides a patch (although, Microsoft’s patch will have precedence over the micropatch, so even removing it is not actually required).
Here is a video of the micropatch: