Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More

The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.

Safari, other mobile browsers affected by address bar spoofing flaws

Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites.

address bar spoofing mobile

“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.

“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”

The address bar spoofing vulnerabilities and affected mobile browsers

Unlike desktop browsers, mobile browsers are not great at showing security indicators that might point to a site’s malicious nature. In fact, pretty much the only consistent indicator is the address bar (i.e. a suspicious-looking URL in it).

So if the attacker is able to spoof the URL and show the one the user expects – for example, apple.com for a phishing site that impersonates Apple – chances are good the user will enter their login credentials into it. The vulnerabilities discovered by Baloch permit exactly that, and affect the:

  • UC Browser, Opera Mini, Yandex Browser and RITS Browser for Android
  • Opera Touch, Bolt Browser and Safari for iOS

“Exploitation all comes down to ‘Javascript shenanigans’,” noted Rapid7’s Tod Beardsley, who helped Baloch disclose the flaws to the developers of the affected browsers.

“By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”

Fixes for some, not for others

As 60+ days have passed since the vendors were appraised of the existence of the flaws, Baloch released some details and several PoC exploits.

In the meantime:

  • Apple and Yandex pushed out fixes
  • Opera released security updates for Opera Touch and is expected to do the same for Opera Mini in early November
  • Raise IT Solutions planned to release a fix for the RITS Browser this week, but hasn’t yet
  • UCWeb (the creators of the UC Browser) haven’t responded to the report, and it’s doubtful whether the creator of the Bolt Browser knowns about the vulnerabilities, as they haven’t been able to contact him (disclosure notification bounced when sent to the support email listed)

Users should implement the offered updates (if they don’t have the “auto-update” option switched on). Those who use browsers that still don’t have fixes available might want to consider switching to a browser that’s more actively developed/patched.

But all should be extra careful when thinking about clicking on links received via text or email from unknown sources. These flaws have been remediated, but other similar ones will surely be discovered in the future – let’s just hope it’s by researchers, and not attackers.

Google aims to improve security of browser engines, third-party Android devices and apps on Google Play

Google has announced two new security initiatives: one is aimed at helping bug hunters improve the security of various browsers’ JavaScript engines, the other at helping Android OEMs improve the security of the mobile devices they ship.

Google new security initiatives

Fuzzing JavaScript engines

“JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome. Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input,” noted Project Zero’s Samuel Groß.

Researchers must also bear the costs of fuzzing in advance, even though there’s a possibility their approach may not discover any bugs or if it does, that they’ll receive a reward for finding them. This fact might deter many of them and, consequently, bugs stay unfixed and exploitable for longer.

That’s why Google is offering $5,000 research grants in the form of Google Compute Engine credits.

Interested researchers must submit a proposal with details about their intended approach and the awarded credits must be used for fuzzing JavaScript engines with the approach described in the proposal.

They can fuzz the JavaScriptCore (Safari), v8 (Chrome, Edge), or Spidermonkey (Firefox), and must report the found vulnerabilities to the affected vendor. They must also publicly report on their findings within 6 months of the grant getting awarded.

Helping third parties in the Android ecosystem

The company is also set on improving the security of the Android ecosystem, and to that point it’s launching the Android Partner Vulnerability Initiative (APVI).

“Until recently, we didn’t have a clear way to process Google-discovered security issues outside of AOSP (Android Open Source Project) code that are unique to a much smaller set of specific Android OEMs,” the company explained.

“The APVI […] covers a wide range of issues impacting device code that is not serviced or maintained by Google (these are handled by the Android Security Bulletins).”

Already discovered issues and those yet to be unearthed have been/will be shared through this bug tracker.

Simultaneously, the company has is looking for a Security Engineering Manager in Android Security that will, among other things, lead a team that “will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers.”

Confirmed: Browsing histories can be used to track users

Browsing histories can be used to compile unique browsing profiles, which can be used to track users, Mozilla researchers have confirmed.

Browser histories track users

There are also many third parties pervasive enough to gather web histories sufficient to leverage browsing history as an identifier.

The research

This is not the first time that researchers have demonstrated that browsing profiles are distinctive and stable enough to be used as identifiers.

Sarah Bird, Ilana Segall and Martin Lopatka were spurred to reproduce the results set forth in a 2012 paper by Lukasz Olejnik, Claude Castelluccia, and Artur Janc, by using more refined data, and they’ve extend that work to detail the privacy risk posed by the aggregation of browsing histories.

The Mozillians collected browsing data from ~52,000 Firefox for 7 calendar days, then paused for 7 days, and then resumed for an additional 7 days. After analyzing the collected data, they identified 48,919 distinct browsing profiles, of which 99% are unique. (The original paper observed a set of ~400,000 web history profiles, of which 94% were unique.)

“High uniqueness holds even when histories are truncated to just 100 top sites. We then find that for users who visited 50 or more distinct domains in the two-week data collection period, ~50% can be reidentified using the top 10k sites. Reidentifiability rose to over 80% for users that browsed 150 or more distinct domains,” they noted.

The also confirmed that browsing history profiles are stable through time – a second prerequisite for these profiles being repeatedly tied to specific users/consumers and used for online tracking.

“Our reidentifiability rates in a pool of 1,766 were below 10% for 100 sites despite a >90% profile uniqueness across datasets, but increased to ~80% when we consider 10,000 sites,” they added.

Finally, some corporate entities like Alphabet (Google) and Facebook are able to observe the web to an even greater extent that when the research for the 2012 paper was conducted, which may allow them to gain deep visibility into browsing activity and use that visibility for effective online tracking – even if users use different devices to browse the internet.

Browser histories track users

Other recent research has shown that anonymization of browsing patterns/profile through generalization does not sufficiently protect users’ anonymity.

Regulation is needed

Privacy researcher Lukasz Olejnik, one of the authors of the 2012 paper, noted that the findings of this newest research are a welcome confirmation that web browsing histories are personal data that can reveal insight about the user or be used to track users.

“In some ways, browsing history resemble biometric-like data due to their uniqueness and stability,” he commented, and pointed out that, since this data allows the singling-out of individuals out of many, it automatically comes under the General Data Protection Regulation (GDPR).

“Web browsing histories are private data, and in certain contexts, they are personal data. Now the state of the art in research indicates this. Technology should follow. So too should the regulations and standards in the data processing. As well as enforcement,” he concluded.

How secure is your web browser?

NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.

web browser security

Key takeaways

  • Phishing protection rates ranged from 79.2% to 95.5%
  • For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
  • Protection improved over time; the most consistent products provided the best protection against phishing and malware.

Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.

Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.

In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.

Protecting against malware and phishing

The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.

To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.

“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.

Tested browsers

  • Google Chrome – version 81.0.4044.113 – 81.0.4044.138
  • Microsoft Edge – version 83.0.478.10 – 84.0.516.1
  • Mozilla Firefox – version 75.0 – 76.0.1
  • Opera – version 67.0.3575.137 – 68.0.3618.125

Does a generalization of tracking data cover up our traces on the internet?

Tracking of our browsing behavior is part of the daily routine of internet use. Companies use it to adapt ads to the personal needs of potential clients or to measure their range. Many providers of tracking services advertise secure data protection by generalizing datasets and anonymizing data in this way.

generalization data

Data generalization

Computer scientists of Karlsruhe Institute of Technology (KIT) and Technische Universität Dresden (TUD) have now studied how secure this method is.

Tracking services collect large amounts of data of internet users. These data include the websites accessed, but also information on the end devices used, the time of access (timestamp) or location information.

“As these data are highly sensitive and have a high personal reference, many companies use generalization to apparently anonymize them and to bypass data security regulations,” says Professor Thorsten Strufe, Head of the “Practical IT Security” Research Group of KIT.

By means of generalization, the level of detailing of the information is reduced, such that an identification of individuals is supposed to be impossible. For example, location information is restricted to the region, the time of access is limited to the day, or the IP address is shortened by some figures.

Strufe, together with his team and colleagues of TUD, have now studied whether this method really allows no conclusions to be drawn with respect to the individual.

With the help of a large volume of metadata of German websites with 66 million users and over 2 billion page views, the computer scientists succeeded in not only drawing conclusions with respect to the websites accessed, but also with respect to the chains of page views, the so-called click traces. The data were made available by INFOnline, an institution measuring the data range in Germany.

The course of page views is of high importance

“To test the effectiveness of generalization, we analyzed two application scenarios,” Strufe says. “First, we checked all click traces for uniqueness. If a click trace, that is the course of several successive page views, can be distinguished clearly from others, it is no longer anonymous.”

It was found that information on the website accessed and the browser used has to be removed completely from the data to prevent conclusions to be drawn with respect to persons.

“The data will only become anonymous, when the sequences of single clicks are shortened, which means that they are stored without any context, or when all information, except for the timestamp, is removed,” Strufe says.

“Even if the domain, the allocation to a subject, such as politics or sports, and the time are stored on a daily basis only, 35 to 40 percent of the data can be assigned to individuals.” For this scenario, the researchers found that generalization does not correspond to the definition of anonymity.

A few observations are sufficient to identify user profiles

In addition, the researchers checked whether even subsets of a click trace allow conclusions to be drawn with respect to individuals.

“We linked the generalized information from the database to other observations, such as links shared on social media or in chats. If, for example, the time is generalized precisely to the minute, one observation is sufficient to clearly assign 20 percent of the click traces to a person,” says Clemens Deusser, doctoral researcher of Strufe’s team, who was largely involved in the study.

“Another two observations increase the success to more than 50 percent. Then, it is easily obvious from the database which other websites were accessed by the person and which contents were viewed.” Even if the timestamp is stored with the precision of a day, only five additional observations are needed to identify the person.

“Our results suggest that simple generalization is not suited for effectively anonymizing web tracking data. The data remain sharp to the person and anonymization is ineffective. To reach effective data protection, methods extending far beyond have to be applied, such as noise by the random insertion of minor misobservations into the data,” Strufe recommends.

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues.

Chrome 83: New and improved security and privacy features

The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites.

Chrome 83 security features

“Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained.

“Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc.) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account.”

A new Safety Check option allows users to scan their Chrome installation and show whether the browser is up to date, whether the Safe Browsing service is on, whether potentially harmful extensions have been installed, and whether any of the passwords the user uses has been compromised in a known breach.

New cookie controls and settings – from now on, users will be able to delete cookies on a per-site basis and block third-party cookies while using Chrome’s Incognito mode (aka “private browsing” mode).

Secure DNS – build on top of the DNS-over-HTTPS (DoH) protocol.

“When you access a website, your browser first needs to determine which server is hosting it, using a step known as a ‘DNS (Domain Name System) lookup.’ Chrome’s Secure DNS feature uses DNS-over-HTTPS to encrypt this step, thereby helping prevent attackers from observing what sites you visit or sending you to phishing websites,” Google noted.

“By default, Chrome will automatically upgrade you to DNS-over-HTTPS if your current service provider supports it. You can also configure a different secure DNS provider in the Advanced security section, or disable the feature altogether.”

OPIS

Some features have already been rolled out, others will be made available to desktop Chrome users in upcoming weeks.

Bad bot traffic increases, comprising almost one quarter of all website traffic

Bad bot traffic has increased compared to previous years, comprising almost one quarter (24.1%) of all website traffic and most heavily impacting the financial services industry, according to Imperva.

bad bot traffic increases

Bad bot traffic increases to highest levels ever

In 2019, bad bot traffic comprised 24.1% of all website traffic, rising 18.1% from the year prior. Good bot traffic consisted of 13.1% of traffic—a 25.1% decrease from 2018—while 62.8% of all website traffic came from humans.

Financial services industry hit hardest by bad bots

Every industry has a unique bot problem ranging from account takeover attacks and credential stuffing to content and price scraping. The top 5 industries with the most bad bot traffic include financial services (47.7%), education (45.7%), IT and services (45.1%), marketplaces (39.8%), and government (37.5%).

Moderate to sophisticated bad bots make up almost three quarters of bad bot traffic

Advanced persistent bots (APBs) continue to plague websites and often avoid detection by cycling through random IP addresses, entering through anonymous proxies, changing their identities, and mimicking human behavior. In 2019, 73.7% of bad bot traffic was APBs.

More than half of bad bots claim to be Google Chrome

Continuing to follow browser popularity trends, bad bots impersonated the Chrome browser 55.4% of the time. The use of data centers reduced again in 2019, accounting for 70% of bad bot traffic—down from 73.6% in 2018.

For the third year in a row, the most blocked country is Russia

In 2019, 21.1% of country blocks were Russia, followed closely by China at 19%. Despite this, with most bad bot traffic emanating from data centers, the United States remains the “bad bot superpower” with 45.9% of attacks coming from the country.

“We closely monitor how malicious bots iterate to evade detection and commit a wide range of attacks, and this year’s findings have revealed the next evolution: Bad Bots as-a-Service,” said Kunal Anand, CTO at Imperva.

“Bad Bots as-a-Service is an attempt by bot operators to legitimize their role and appeal to organizations facing increased pressure to stay ahead of competition. It’s critical that businesses spanning all industries learn which threats are most pervasive in their field and take the necessary steps to protect themselves.”

Bad bots interact with applications in the same way a legitimate user would, making them harder to detect and prevent. They enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. They allow bot operators, attackers, unsavory competitors, and fraudsters to perform a wide array of malicious activities.

Such activities include web scraping, competitive data mining, personal and financial data harvesting, brute-force login, digital ad fraud, spam, transaction fraud, and more.

Avast Secure Browser for Android released, includes a built-in VPN

Avast has released an Android version of Avast Secure Browser to extend its platform support beyond Windows and Mac on desktop to mobile.

Avast Secure Browser for Android

Avast Secure Browser for Android

Avast Secure Browser for Android was developed following Avast’s 2019 acquisition of Tenta, a private browser backed by Blockchain pioneers ConsenSys, and has been built from the ground up by privacy and cybersecurity engineers focused on total encryption.

At its core is strong encryption including AES-256, ChaCha 256-bit, and the latest TLS/SSL cryptographic protocols for the data transport layer. To ensure that user DNS requests are kept private and secure, Avast Secure Browser for Android supports multiple DNS options straight out of the box, such as DNS over TLS, DNSSEC and decentralized DNS support.

Security and privacy features

Additional built-in security and privacy features available with Avast Secure Browser for Android include:

  • A VPN that encrypts all inbound and outbound connections to the VPN location
  • A user PIN code for device access that is never stored on any server nor on the device itself
  • Anti-tracking technologies used to prevent websites, advertisers and other web services from tracking online activity
  • Adblock integration to improve website load time
  • An encrypted media vault.

“Our goal is to be the first all-in-one browser to secure our users’ privacy along with a frictionless secure browsing experience. Adding support for mobile is another milestone in our journey towards this long-term goal,” said Scott Curtiss, VP and General Manager of Avast Secure Browser.

Mobile threats increase

In early March, Avast Threat Lab researchers found that the increasing use of mobile devices around the globe is fueling the growth of mobile-related malware. To date, 131 COVID-19 related apps have been detected as malicious through Avast’s apklab.io platform as cybercriminals look to exploit the pandemic using social engineering tactics.

According to statistics gathered by the Avast researchers between October and December 2019, adware (software that hijacks user devices to spam them with malicious ads) is responsible for 72% of mobile malware, with the remaining 28% of threats linked to banking trojans, fake apps, lockers and downloaders.

“There is still a perception among many consumers that on mobile, internet and browser-based threats do not exist,” said Curtiss. “This is not the case. Mobile is a lucrative platform for cybercriminals because of its majority market share versus desktop and higher levels of internet traffic. In the past 12 months, we’ve seen adware rise by 38% on Android.”

Later this year, the mobile version of Avast Secure Browser will be made available on iOS. Avast Secure Browser is currently compatible with Windows 10, 8 and 7, Android and macOS.

A new way for securing web browsers from hackers

A powerful new approach to securing web browsers is getting its first real-world application in the Firefox browser.

Developed by a team of researchers from The University of Texas at Austin, the University of California San Diego, Stanford University and Mozilla, the approach shifts some of the browser code into “secure sandboxes” that prevent malicious code from taking over the user’s computer.

The new approach is now part of a test release of the Firefox browser for the Linux operating system and could be available on Windows and MacOS platforms within a few months.

How does it work?

Web browsers use libraries of code to do common activities — such as rendering media files including photos, videos and audio — but these libraries often have unreported bugs that can be exploited by hackers to take control of a computer.

“Modern browsers are the nightmare scenario for security,” said Hovav Shacham, professor of computer science at UT Austin and co-author of a related paper accepted for presentation at a computer security conference to be held this August.

“They have every feature imaginable. The more features you have, the more bugs there are. And the more bugs there are, the more chances an attacker has to compromise people’s devices. Attackers love attacking browsers, and they really understand how to do it.”

To prevent hackers from exploiting these vulnerabilities, the researchers are adapting WebAssembly, a security mechanism originally designed to speed up web applications that run within a browser while keeping those applications within “secure sandboxes” that prevent malicious code from taking over the user’s computer.

Applications that take advantage of WebAssembly include games and apps that perform music streaming, video editing, encryption and image recognition. In the researchers’ new approach, some of the browser’s own internal components — those responsible for the decoding of media files — would be shifted into WebAssembly sandboxes.

Full release versions are expected

The new approach will initially be applied to a test version of Firefox for the Linux operating system and will secure just one rendering library used for certain fonts.

Assuming the initial tests go well, the team expects the approach will be gradually expanded to include stable, full release versions of the browser on all major operating systems. They also anticipate future expansion will include other components involved in rendering media files.

“If the initial tests go well, then Firefox could apply this to all the image, video and audio formats that the browser supports,” Shacham said. “The hope is that at some point, bugs in all of those libraries become useless for hacking Firefox. And if that happens, then user security would be greatly improved.”

Over time, as more parts of the browser get these improvements and are incorporated into versions on more operating systems, it could improve security for millions of users worldwide. There are roughly 250 million monthly active users of the Firefox browser on desktop computers.

“Defects happen,” said Eric Rescorla, Firefox CTO at Mozilla. “To keep our users secure on the internet, we need to ensure that a single programming error cannot easily compromise the browser. To date the industry’s approach to this problem has been very coarse-grained, which limits its effectiveness. We’re very excited to bring the new level of isolation provided by RLBox to our users.”

You can read more about this project from Mozilla’s Hacks Blog.

Micropatch simulates workaround for recent zero-day IE flaw, removes negative side effects

ACROS Security has released a micropatch that implements the workaround for a recently revealed actively exploited zero-day RCE flaw affecting Internet Explorer (CVE-2020-0674).

OPIS

Remote code execution vulnerability affecting IE

Last Friday, Microsoft released an out-of-band security advisory notifying Internet Explorer users of a remote code execution vulnerability affecting IE 11, 10 and 9 on various versions od Windows and Windows Server, which they know is being exploited in “limited targeted attacks”.

Flagged by researchers from Qihoo 360 and Google’s Threat Analysis Group, the flaw has been filed under CVE-2020-0674, but no fix was released.

“Microsoft is aware of this vulnerability and working on a fix. Our standard policy is to release security updates on Update Tuesday, the second Tuesday of each month. This predictable schedule allows for partner quality assurance and IT planning, which helps maintain the Windows ecosystem as a reliable, secure choice for our customers,” the company explained, and offered information on mitigations and a temporary workaround.

Mitigation steps

Microsoft advised admins to implement the offered mitigation steps only if there is indication that the systems they are administrating are under elevated risk.

“If you implement the workaround, you will need to revert the mitigation steps before installing any future updates to continue to be protected,” the company pointed out.

Also, the workaround changes the ownership of the vulnerable JScript.dll, which has to be reverted again when the workaround is undone (before patching).

“This workaround has an expected negative side effect that if you’re using a web application that employs legacy JScript (and can as such only be used with Internet Explorer), this application will no longer work in your browser,” explained Mitja Kolsek, CEO of Acros Security and co-founder at 0patch, a solution that aims to provide fixes for zero-days, unpatched vulnerabilities, end-of-life and unsupported products, legacy operating systems, vulnerable third-party components and customized software.

The micropatch

Since the February Patch Tuesday is quite a while away and since Windows 7 and Windows Server 2008 R2 users without Extended Security Updates might not get the patch at all, ACROS Security decided to provide a micropatch that simulates the offered workaround (restricts access to the vulnerable JScript.dll) without its negative side effects (reduced functionality for components or features that rely on that particular .dll).

The company has ported the micropatch to Windows 7, Windows 10, Windows Server 2008 R2 and Windows Server 2019 (both 32-bit and 64-bit).

Those who already use 0patch can implement the micropatch immediately and remove it easily when Microsoft finally provides a patch (although, Microsoft’s patch will have precedence over the micropatch, so even removing it is not actually required).

Here is a video of the micropatch:

[embedded content]