Google forces devs to reveal Chrome extensions’ data use, privacy practices

Starting January 2021, developers of Chrome extensions will have to certify their data use and privacy practices and provide information about the data collected by the extension(s), “in clear and easy to understand language,” in the extension’s detail page in the Chrome Web Store.

“We are also introducing an additional policy focused on limiting how extension developers use data they collect,” Google added.

Privacy practices get more attention

Two weeks ago Apple announced that developers of apps offered trough its App Store will have to provide privacy-focused labels so that users can review an app’s privacy practices before they download the app.

Chrome extensions privacy

“You’ll need to provide information about your app’s privacy practices, including the practices of third-party partners whose code you integrate into your app, in App Store Connect,” Apple told app developers. “This information will be required to submit new apps and app updates to the App Store starting December 8, 2020.”

Now Google is forcing developers to provide similar information for Chrome extension and, at the same time, the company is updating its developer policy to limit what extension developers can do with the data they collect.

The change means that extension developers are prohibited from selling user data, using it for personalized advertising or to establish users’ creditworthiness / lending qualification, transferring the data to data brokers or other information resellers. In addition to this, they must ensuring the use or transfer of user data primarily benefits the user and is in accordance with the stated purpose of the extension.

The privacy-related information will be shown in the Privacy practices tab of the extension’s Chrome Web Store listing:

Chrome extensions privacy

Will this be enough?

If developers fail to provide data privacy disclosures and to certify they comply with the Limited Use policy, starting with January 18, 2021, their listing on the Chrome Web Store will say that the publisher has not provided any information about the collection or usage of user data (but the extension apparently won’t be pulled from the store).

Will this stop users from downloading such an extension? Will most users actually read the information provided in the Privacy practices tab? Unfortunately, the answer to these questions is no. Does Google check whether extension developers were truthful when they “certified” their data use practices? Google doesn’t say, but the answer is likely no, as the task would be massive and the claims difficult (if not impossible) to confirm at that scale.

The problem with Apple’s and Google’s latest app privacy transparency push is that the companies shift the responsibility on app/extension users and developers, and that the sanctions for developers who don’t comply with the store policies are not enough to stop those that are set on abusing them.

The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

November 2020 Patch Tuesday forecast: Significant OS changes ahead

November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.

November 2020 Patch Tuesday forecast

The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.

A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.

This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.

Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.

November 2020 Patch Tuesday forecast

  • Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
  • Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
  • Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
  • Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
  • Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
  • It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.

Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version. About the vulnerabilities (CVE-2020-16009, CVE-2020-16010) As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this: CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source … More

The post Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010) appeared first on Help Net Security.

October 2020 Patch Tuesday forecast: Trick or treat?

It’s October and that means Halloween will be here at the end of the month. It won’t be much fun if we only get to ‘dress up’ and look at each other via video conference. But then, we’ve had a lot of ‘tricks’ thrown at us this last month – Zerologon, explosion of ransomware, COVID phishing attacks, and more. Will we get more tricks next week or are we in for a treat on Patch Tuesday?

October 2020 Patch Tuesday forecast

The Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472, also referred to as the Zerologon vulnerability, dominated the news this past month. The US Department of Homeland Security issued Emergency Directive 20-04 on September 18, requiring all government agencies with a domain controller to update their servers within three days.

Microsoft has also issued updated guidance since the August Patch Tuesday release to clarify the steps needed to secure systems with this vulnerability. Per the outlined process in the article, the first step is to apply the August 11 updates which will begin enforcement of Secure RPC (Remote Procedure Call), but still allow non-compliant devices to connect and log the connections. Full enforcement will begin with the deployment of the February 9, 2021 updates.

All systems in your environment should be updated and monitored between now and February to verify they are configured and using the secure channels properly. Once the February updates are deployed, only vulnerable systems explicitly listed in group policy will be allowed to connect to the domain controller.

It’s not unexpected that the education community has been hit the hardest by cyberattacks in the past several months. Students of all ages are now spending many hours online in daily remote learning sessions and are constantly exposed to a full host of attacks. The Microsoft Security Intelligence center is showing that 62% of malware encounters are affecting this industry.

As funny as it may sound, this is partially an ‘education’ issue. Most students haven’t received any form of security training and need to be aware of phishing attacks and what to look for, the importance of strong passwords, the need to keep personal or ‘sensitive’ information private, and similar practices we in the industry often take for granted.

With the sudden increase of connections from personal computers, many of which are running out-of-date software, it is more important than ever to maintain solid security practices for the infrastructure and support systems. Teachers should be running authorized software and IT must be prepared to apply the latest security updates, especially for programs like Zoom, WebEx, GoToMeeting, etc., which are critical for remote learning. We’ll weather this storm and the good news is that we’ll have a more security-aware group entering the workforce in the upcoming years.

October 2020 Patch Tuesday forecast

  • Microsoft continues to address record numbers of vulnerabilities each month. Expect that to continue in October. Microsoft Exchange Server received a major update last month, so I don’t expect another one. But we will see the standard updates for operating systems and Office, and extended support updates for Windows 7 and Server 2008.
  • Select service stack updates (SSUs) should appear as they usually do.
  • The last security updates for Adobe Acrobat and Reader were in August. There are no pre-announcements on their web site, but we may see an update.
  • Apple will most likely release major security updates for iTunes and iCloud later in October if they maintain their quarterly schedule.
  • Google Chrome 86 was released this Tuesday with significant security updates. Don’t expect any updates around Patch Tuesday.
  • Security updates were released on September 22 for Mozilla Firefox and Thunderbird. We could see some additional updates next week.

In summary, expect the standard set of Microsoft releases, maybe some updates from Adobe, and probably two from Mozilla. Based on this limited list of updates, It sounds like we should be in for a treat!

Chrome 86 delivers more security features for mobile users

Google has released Chrome 86 for desktop and mobile, which comes with several new and improved security features for mobile users, including:

  • New password protections
  • Enhanced Safe Browsing
  • Easier password filling
  • Mixed form warnings and mixed downloads warnings/blocks

New password security features in Chrome 86

The Password Checkup feature came first in the form of a Chrome extension, then was built into Google Account’s password manager and Chrome, and now it has been enhanced with support for the “.well-known/change-password” standard – a W3C specification that defines a well-known URL that sites can use to make their change password forms discoverable by tools (e.g. Chrome, or the latest version of Safari)

Chrome 86 security

This change means that, after they’ve been alerted that their password has been compromised, Chrome will take users directly to the right “change password” form. Hopefully, this will spur more users to act upon the alert.

Enhanced Safe Browsing is added to Chrome for Android

Enhanced Safe Browsing mode, which was first introduced in Chrome 83 (for desktop versions), allows users to get a more personalized protection against malicious sites.

“When you turn on Enhanced Safe Browsing, Chrome can proactively protect you against phishing, malware, and other dangerous sites by sharing real-time data with Google’s Safe Browsing service. Among our users who have enabled checking websites and downloads in real time, our predictive phishing protections see a roughly 20% drop in users typing their passwords into phishing sites,” noted AbdelKarim Mardini, Senior Product Manager, Chrome.

In addition to this, Safety Check – an option that allows users to scan their Chrome installation to check whether the browser is up to date, whether the Safe Browsing service is enabled, and whether any of the passwords the user uses have been compromised in a known breach – is now available to Chrome for Android and iOS.

Biometric authentication for autofilling of passwords on iOS

iOS users can finally take advantage of the convenient password autofill option that was made available a few months ago to Android users.

The option allows iOS users to authenticate using Face ID, Touch ID, or their phone passcode before their saved passwords are automatically filled into sites and iOS apps (the Chrome autofill option must be turned on in Settings).

Chrome 86 security

Mixed form/download warnings

Mixed content, i.e., insecure content served from otherwise secure (HTTPS) pages, is a danger to users.

Chrome 86 will warn users when they are about to submit information through a non-secure form embedded in an HTTPS page and when they are about to initiate insecure downloads over non-secure links.

For the moment, Chrome will block the download of executables and archive files over non-secure links but show a warning if the user tries to download documents files, PDFs, and multimatedia files. The next few Chrome versions will block those as well.

Last but not least, Google has fixed 35 security issues in Chrome 86, including a critical use after free vulnerabilities in payments (CVE-2020-15967).

Google offers high-risk Chrome users additional scanning of risky files

Google is providing a new “risky files” scanning feature to Chrome users enrolled in its Advanced Protection Program (APP).

Chrome scanning risky files

About the Advanced Protection Program

Google introduced the Advanced Protection Program in 2017.

It’s primarily aimed at users whose accounts are at high risk of compromise through targeted attacks – journalists, human rights and civil society activists, campaign staffers and people in abusive relationships, executives and specific employees – but anyone can sign up for it.

It offers:

  • Anti-phishing protection, as attackers can steal users’ credentials, but they need the security key/smartphone that’s in the user’s possession to gain access to the account
  • Extra protection from harmful downloads
  • Protection from malicious third-party apps that may want to access users’ Google Account.

Some features, like the one announced on Wednesday, will work only if the user uses Google Chrome and is signed into it with their Advanced Protection Program identity.

Additional scanning

Chrome started warning APP users when a downloaded file may be malicious last year, but now it will also give them the ability to send risky files for additional scanning by Google Safe Browsing’s full suite of malware detection technology before opening them.

“When a user downloads a file, Safe Browsing will perform a quick check using metadata, such as hashes of the file, to evaluate whether it appears potentially suspicious. For any downloads that Safe Browsing deems risky, but not clearly unsafe, the user will be presented with a warning and the ability to send the file to be scanned,” Chrome engineers explained.

“If the user chooses to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis techniques in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will warn the user. As always, users can bypass the warning and open the file without scanning, if they are confident the file is safe. Safe Browsing deletes uploaded files a short time after scanning.”

Aside from helping users, the new feature is expected to help Google improve their ability to detect malicious files.

Chrome 86 will prominently warn about insecure forms on secure pages

Entering information into and submitting it through insecure online forms will come with very explicit warnings in the upcoming Chrome 86, Google has announced.

The new alerts

The browser will show a warning when a user begins filling out a mixed form (a form on a HTTPS site that does not submit through an HTTPS channel) and when a user tries to submit a mixed form.

Chrome insecure forms

“Before M86, mixed forms were only marked by removing the lock icon from the address bar. We saw that users found this experience unclear and it did not effectively communicate the risks associated with submitting data in insecure forms,” Shweta Panditrao, a software engineer with the Chrome Security Team, explained.

The last warning will be especially impossible to miss, as it will be shown on a full page:

Chrome insecure forms

The submission of the info will be temporarily blocked and it’s on users to decide if they want to risk it and override the block to submit the form anyway.

Google is also planning to disable the autofill feature of the browser’s password manager on all mixed forms except login forms (forms that require users to enter their username and password).

“Chrome’s password manager helps users input unique passwords, and it is safer to use unique passwords even on forms that are submitted insecurely, than to reuse passwords,” Panditrao explained the rationale for that exception.

Simultaneously, Google encouraged developers to fully migrate forms on their site to HTTPS to protect their users.

Google’s push towards HTTPS and blocking mixed content

For many years, Google has been working on making HTTPS the standard for any and every online action.

In 2014, the company started prioritizing websites using HTTPS in Google Search results.

In 2017, Chrome started labeling sites that transmit passwords or credit cards information over HTTP as “Not secure”. Later that same year, Chrome started showing the same alert for resources delivered over the FTP protocol.

Then, in 2018, Chrome began explicitly marking all HTTP sites as “not secure”.

In 2019, Google published roadmap for Chrome’s gradual but inexorable push towards blocking mixed content (insecure HTTP subresources – images, audio, and video – loading on HTTPS pages).

Earlier this year, it did the same for mixed content downloads, and effort that is supposed to be finalized in Chrome 86, which is slated to be released in October 2020.

How secure is your web browser?

NSS Labs released the results of its web browser security test after testing Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, for phishing protection and malware protection.

web browser security

Key takeaways

  • Phishing protection rates ranged from 79.2% to 95.5%
  • For malware, the highest block rate was 98.5% and the lowest block rate was 5.6%
  • Protection improved over time; the most consistent products provided the best protection against phishing and malware.

Email, instant messages, SMS messages and links on social networking sites are used by criminals to lure victims to download and install malware disguised as legitimate software (a.k.a. socially engineered malware). Once the malware is installed, victims are subjected to identity theft, bank account compromise, and other devastating consequences.

Those same techniques are also used for phishing attacks, where victims are lured to websites impersonating banking, social media, charity, payroll, and other legitimate websites; victims are then tricked into providing passwords, credit card and bank account numbers, and other private information.

In addition, landing pages (URLs) from phishing websites are another way attackers exploit victim’s computers and silently install malicious software.

Protecting against malware and phishing

The ability to warn potential victims that they are about to stray onto a malicious website puts web browsers in a unique position to combat phishing, malware, and other criminal attacks.

To protect against malware and phishing attacks, browsers use cloud-based reputation systems that scour the internet for malicious websites and then categorize content accordingly, either by adding it to blocklists or whitelists, or by assigning it a score.

“As a result of the COVID-19 pandemic, employees have been forced to work from home and now have unprecedented remote access to corporate resources. Threat actors are shifting tactics to target these remote employees who may not benefit from corporate protection. This makes the protection offered by web browsers more important than ever,” said Vikram Phatak, founder of NSS Labs.

Tested browsers

  • Google Chrome – version 81.0.4044.113 – 81.0.4044.138
  • Microsoft Edge – version 83.0.478.10 – 84.0.516.1
  • Mozilla Firefox – version 75.0 – 76.0.1
  • Opera – version 67.0.3575.137 – 68.0.3618.125

Chrome 83: Enhanced Safe Browsing, Secure DNS, a Safety Check

Google has released version 83 of it’s popular Chrome web browser, which includes new security and privacy features and fixes for security issues.

Chrome 83: New and improved security and privacy features

The enhanced Safe Browsing mode will allow users to get a more personalized protection against malicious sites.

Chrome 83 security features

“Phishing sites rotate domains very quickly to avoid being blocked, and malware campaigns are directly targeting at-risk users,” Google explained.

“Turning on Enhanced Safe Browsing will substantially increase protection from dangerous websites and downloads. By sharing real-time data with Google Safe Browsing, Chrome can proactively protect you against dangerous sites. If you’re signed in, Chrome and other Google apps you use (Gmail, Drive, etc.) will be able to provide improved protection based on a holistic view of threats you encounter on the web and attacks against your Google Account.”

A new Safety Check option allows users to scan their Chrome installation and show whether the browser is up to date, whether the Safe Browsing service is on, whether potentially harmful extensions have been installed, and whether any of the passwords the user uses has been compromised in a known breach.

New cookie controls and settings – from now on, users will be able to delete cookies on a per-site basis and block third-party cookies while using Chrome’s Incognito mode (aka “private browsing” mode).

Secure DNS – build on top of the DNS-over-HTTPS (DoH) protocol.

“When you access a website, your browser first needs to determine which server is hosting it, using a step known as a ‘DNS (Domain Name System) lookup.’ Chrome’s Secure DNS feature uses DNS-over-HTTPS to encrypt this step, thereby helping prevent attackers from observing what sites you visit or sending you to phishing websites,” Google noted.

“By default, Chrome will automatically upgrade you to DNS-over-HTTPS if your current service provider supports it. You can also configure a different secure DNS provider in the Advanced security section, or disable the feature altogether.”

OPIS

Some features have already been rolled out, others will be made available to desktop Chrome users in upcoming weeks.

May 2020 Patch Tuesday forecast: Time for a break?

It’s been a hectic month for everyone worldwide, but we may get a small break in the action this patch Tuesday. The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management.

May 2020 Patch Tuesday forecast

COVID-19 exploitation

Threat actor activity around COVID-19 exploitation increased dramatically in April. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity. This advisory provides a detailed summary of several attacks and valuable links to actions you can take for mitigation.

The number of reported COVID-themed attacks, particularly phishing, have risen more than 475 percent according to this blog from BitDefender Labs and that was in March. Coupled with this rising threat is the challenge of managing a now dispersed work force on previously unused remote and BYOD devices, resulting in a higher risk of a security breach.

IT departments are stretched to the limit, ‘keeping the lights on’ for many businesses and they have little time to deal with the added complexities of deploying regular security updates to these devices.

Oracle

Oracle released their Critical Patch Updates (CPU) last month which happened to coincide with April Patch Tuesday (it is usually the week after). They had 399 updates across their entire product line. These included updates for Java 7, 8, 11, and 14. A total of 15 vulnerabilities were addressed with CVE-2020-2803 having the highest base CVSS 3.0 score at 8.3.

If you are running the Java JRE in your environment, please update your 7 or 8 versions. If you are developing applications with Java, get the latest 11 or 14 updates to ensure these vulnerabilities are addressed. The next Oracle CPU is scheduled for July.

Microsoft

One break last month came from Microsoft when they delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13, 2020 and the SharePoint 2010 Family – SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010 – to April 13, 2021. There was a sigh of relief from a few people.

Also last month, Microsoft addressed 113 CVEs in the patch Tuesday release, which included fixes to font vulnerabilities CVE-2020-1020 and CVE-2020-0938 associated with Advisory 20006. With record numbers of CVEs being fixed each month and the growing threat actor activity, it is more important than ever to keep your systems up-to-date with these latest releases.

May 2020 Patch Tuesday forecast

  • Microsoft should release a.NET update this month in addition to the usual OS and application set. We’ll see if the high number of resolved CVEs continues.
  • Expect new servicing stack updates (SSUs) for select operating systems this month; most have been getting periodic updates.
  • The Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released on Patch Tuesday as usual. Also be aware that Microsoft released an updated licensing preparation package this week under KB 4538483.
  • We should see Windows 10 2004, the May release as it is being called, either next Tuesday or soon thereafter.
  • Google released a security update for Chrome 81 this week.
  • Similarly, Mozilla provided security updates this week for Firefox 76, Firefox ESR 68, and Thunderbird 68.
  • The last security updates for Adobe Acrobat and Reader were in March; we may see an update this month, but Adobe has been releasing major security updates quarterly, so this is more likely to occur in June.

The adage says we should soon see May flowers. With most of the third-party vendors releasing their security updates this week we should have a light patch Tuesday coming. Take some time and smell those roses. After this past month we’ve all earned it.

Google announces cull of low-quality, misleading Chrome extensions

With Google Chrome being by far the most widely used web browser, Google must constantly tweak protections, rules and policies to keep malicious, unhelpful and otherwise potentially unwanted extensions out of the Chrome Web Store. The latest change of that kind has been announced for August 27th 2020, when Google plans to boot from the CWS “low-quality and misleading” Chrome extensions.

misleading Chrome extensions

The announced changes

According to Google, there are currently around 200,000 browser extensions on the CWS, and many users have trouble finding exactly what they want because they have to wade through a multitude of copycat apps, apps with fake reviews and ratings, apps with misleading functionalities, and so on.

In order to make life easier and safer for users, Google will forbid developers and their affiliates to submit/publish:

  • Multiple extensions that provide duplicate experiences or functionality (e.g., wallpaper extensions that have different metadata but provide the user with the same wallpaper when installed)
  • Extensions whose only purpose is to install or launch another app, theme, webpage, or extension
  • Extensions that abuse notifications by sending spam, ads, promotions, phishing attempts, or unwanted messages that harm the user’s browsing experience
  • Extensions that send messages on behalf of the user without giving the user the ability to confirm the content and intended recipients
  • Extensions that have misleading, improperly formatted, non-descriptive, irrelevant, excessive, or inappropriate metadata (e.g., description, developer name, title, icon, etc.). “Developers must provide a clear and well-written description. Unattributed or anonymous user testimonials in the app’s description are also not allowed,” Google explained.

Finally, developers are forbidden from artificially manipulating how the Chrome Web Store orders and displays their extension, from providing incentives for users to download their extension, and from inflating product ratings and reviews.

Developers are urged to review the changes, read the spam policy FAQ to better understand them, and to start reviewing their apps and removing those that fall afoul of the new spam policy before the August deadline.

While Google’s intentions are laudable, it remains to be seen how strict they will be about removing misleading Chrome extensions and how effective they will be in preventing such extensions from being published on the CWS in the first place.

How people deal with fake news or misinformation in their social media feeds

Social media platforms, such as Facebook and Twitter, provide people with a lot of information, but it’s getting harder and harder to tell what’s real and what’s not.

deal with fake news

Participants had various reactions to encountering a fake post

Researchers at the University of Washington wanted to know how people investigated potentially suspicious posts on their own feeds. The team watched 25 participants scroll through their Facebook or Twitter feeds while, unbeknownst to them, a Google Chrome extension randomly added debunked content on top of some of the real posts.

Participants had various reactions to encountering a fake post: Some outright ignored it, some took it at face value, some investigated whether it was true, and some were suspicious of it but then chose to ignore it.

The research

“We wanted to understand what people do when they encounter fake news or misinformation in their feeds. Do they notice it? What do they do about it?” said senior author Franziska Roesner, a UW associate professor in the Paul G. Allen School of Computer Science & Engineering.

“There are a lot of people who are trying to be good consumers of information and they’re struggling. If we can understand what these people are doing, we might be able to design tools that can help them.”

Previous research on how people interact with misinformation asked participants to examine content from a researcher-created account, not from someone they chose to follow.

“That might make people automatically suspicious,” said lead author Christine Geeng, a UW doctoral student in the Allen School. “We made sure that all the posts looked like they came from people that our participants followed.”

The researchers recruited participants ages 18 to 74 from across the Seattle area, explaining that the team was interested in seeing how people use social media. Participants used Twitter or Facebook at least once a week and often used the social media platforms on a laptop.

Then the team developed a Chrome extension that would randomly add fake posts or memes that had been debunked by the fact-checking website Snopes.com on top of real posts to make it temporarily appear they were being shared by people on participants’ feeds. So instead of seeing a cousin’s post about a recent vacation, a participant would see their cousin share one of the fake stories instead.

The researchers either installed the extension on the participant’s laptop or the participant logged into their accounts on the researcher’s laptop, which had the extension enabled.

The team told the participants that the extension would modify their feeds – the researchers did not say how – and would track their likes and shares during the study – though, in fact, it wasn’t tracking anything. The extension was removed from participants’ laptops at the end of the study.

“We’d have them scroll through their feeds with the extension active,” Geeng said. “I told them to think aloud about what they were doing or what they would do if they were in a situation without me in the room. So then people would talk about ‘Oh yeah, I would read this article,’ or ‘I would skip this.’ Sometimes I would ask questions like, ‘Why are you skipping this? Why would you like that?’”

Participants could not actually like or share the fake posts. A retweet would share the real content beneath the fake post. The one time a participant did retweet content under the fake post, the researchers helped them undo it after the study was over. On Facebook, the like and share buttons didn’t work at all.

The results

After the participants encountered all the fake posts – nine for Facebook and seven for Twitter – the researchers stopped the study and explained what was going on.

“It wasn’t like we said, ‘Hey, there were some fake posts in there.’ We said, ‘It’s hard to spot misinformation. Here were all the fake posts you just saw. These were fake, and your friends did not really post them,’” Geeng said.

“Our goal was not to trick participants or to make them feel exposed. We wanted to normalize the difficulty of determining what’s fake and what’s not.”

The researchers concluded the interview by asking participants to share what types of strategies they use to detect misinformation.

In general, the researchers found that participants ignored many posts, especially those they deemed too long, overly political or not relevant to them.

But certain types of posts made participants skeptical. For example, people noticed when a post didn’t match someone’s usual content. Sometimes participants investigated suspicious posts – by looking at who posted it, evaluating the content’s source or reading the comments below the post – and other times, people just scrolled past them.

“I am interested in the times that people are skeptical but then choose not to investigate. Do they still incorporate it into their worldviews somehow?” Roesner said.

“At the time someone might say, ‘That’s an ad. I’m going to ignore it.’ But then later do they remember something about the content, and forget that it was from an ad they skipped? That’s something we’re trying to study more now.”

While this study was small, it does provide a framework for how people react to misinformation on social media, the team said. Now researchers can use this as a starting point to seek interventions to help people resist misinformation in their feeds.

“Participants had these strong models of what their feeds and the people in their social network were normally like. They noticed when it was weird. And that surprised me a little,” Roesner said.

“It’s easy to say we need to build these social media platforms so that people don’t get confused by fake posts. But I think there are opportunities for designers to incorporate people and their understanding of their own networks to design better social media platforms.”

Google fixes another Chrome zero-day exploited in the wild

For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild.

CVE-2020-6418

About CVE-2020-6418

No details have been shared about the attacks and about the flaw itself, apart from the short description that says it’s a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.

The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18.

The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.

They released the exploit – which works only if Chrome’s sandbox is disabled or can be bypassed via another vulnerability – and pointed out that it’s a good thing Google has managed to reduce Chrome’s “patch gap” to two weeks.

“It took us around 3 days to exploit the vulnerability after discovering the fix. Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that 1day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they noted.

This, of course, does not mean much in this particular instance, as CVE-2020-6418 was a zero-day to begin with (i.e., the exploit for it existed and was used before the patch).

Security update

The Chrome release (v80.0.3987.122) fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.

Those users and admins who have disabled the auto-updating feature on Chrome would do well to implement the update as soon as possible.

Sophos’ Paul Ducklin also pointed out that V8 is used in other applications and runtime environments, including the Chromium-based Microsoft Edge browser. (Brave, Opera, and Vivaldi are also Chromium-based web browsers and use V8).

“We’re assuming that if other V8-based applications do turn out to share this bug, they will soon be patched too – but as far as we know now, the in-the-wild exploit only applies to V8 as used in Chrome itself,” he added.