Browsers under attack - archive

WebKit core vuln...

FYI...

Multiple Vendor WebKit HTML Caption Use After Free Vulnerability
- http://atlas.arbor.net/briefs/index#418501501
Severity: Elevated Severity
Published: Wednesday, June 23, 2010 19:12
A use-after-free issue has been found in Google Chrome (3.0.195.38 and 4.0.249.78), and Safari 4.0.4 (Windows XP/OS X 10.5.8), specifically in the WebKit core. A malicious webpage can force the browser to execute arbitrary code on the victim's PC. Updated software has been released to address this issue...

Safari v5.0 released
- http://secunia.com/advisories/40105/
Original Advisory: Apple:
http://support.apple.com/kb/HT4196
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1392
Last revised: 06/24/2010
CVSS v2 Base Score: 9.3 (HIGH)
"... Safari before 5.0..."

Google Chrome v5.0.375.99 released
- http://secunia.com/advisories/40479/
Release Date: 2010-07-05
Solution: Update to version 5.0.375.99.
Original Advisory:
http://googlechromereleases.blogspot.com/2010/07/stable-channel-update.html

:fear:
 
Last edited:
Last edited:
Multiple browser vulns/updates...

FYI...

Firefox updated:
- http://securitytracker.com/alerts/2010/Sep/1024401.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."
- http://securitytracker.com/alerts/2010/Sep/1024406.html
Sep 8 2010 - "... 3.5 prior to 3.5.12, 3.6 prior to 3.6.9..."

Safari updated:
- http://securitytracker.com/alerts/2010/Sep/1024400.html
Sep 8 2010 - "... 4.x prior to 4.1.2, 5.0 prior to 5.0.2..."

Google Chrome:
- http://securitytracker.com/alerts/2010/Sep/1024390.html
Sep 3 2010 - "... prior to 6.0.472.53..."

- http://techblog.avira.com/2010/09/08/browser-updates-3/en/

:fear:
 
Browser security update tricks

FYI...

Browser security update tricks
- http://www.symantec.com/connect/blogs/misleading-apps-push-browser-security-update-trick
04 Oct 2010 - "... attackers use social engineering techniques to scare users into purchasing a misleading application. This time around, we have come across a couple of websites that are using a slightly different trick to mislead users. In order to trick users, these websites used bogus pages that look similar to those presented by security features or technologies when one is about to visit a malicious page. However, it presented a “Download Updates!!” button, unlike Google’s “Get me out of here” button... Regardless of what browser is used, the user is presented with the same misleading dialog box that seemingly forces the download of Firefox and Chrome updates. This misleading dialog box keeps on popping up, even if the user clicks on cancel button... The downloaded executable turns out to be a variant of the infamous misleading application called Security Tool. Once executed, it displays exaggerated pop-ups in an attempt to scare users... Unlike standard misleading application distribution websites, these sites don’t rely only on social engineering tricks to mislead users. If more savvy users don’t download the misleading application executable, then these websites will redirect users to a website that, in turn, further redirects to a malicious website that is hosting the infamous Phoenix exploit kit. Phoenix is an automated exploit kit that uses heavily obfuscated JavaScript code to evade security products... These exploit kits are used to deliver malware after exploiting a vulnerability, mostly those affecting Web browsers. If users don’t somehow fall victim to this latest browser update trick, then the attackers have the fall back of delivering misleading applications through these exploit kits..."
(Screenshots available at the URL above.)

- http://sunbeltblog.blogspot.com/2010/10/securitytool-rogue-begins-using-fake.html
October 07, 2010
- http://sunbeltblog.blogspot.com/2010/10/rogue-downloader-overlooks-ie-users.html
October 19, 2010
- http://www.f-secure.com/weblog/archives/00002051.html
October 20, 2010

:fear::mad:
 
Last edited:
Reverse engineering ...

FYI...

'Need to stay on top of these updates - hacks do. Bug fixes are "reverse engineered" within -hours- of their release, and hacker exploits go right into production:

60 second check for updates here.
___

Zombie infection kit - Success rates / Victim browser statistics:
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_browser.png
October 15th, 2010
- http://labs.m86security.com/2010/10/don’t-get-infected-by-zombies/
"... effectively used in many other exploit tool kits. Potential victims are forced to visit Zombie’s exploit page when their browser loads an IFrame placed on a compromised website. All of the vulnerabilities exploited by this kit have been patched... 15 percent... of ‘visitors’ were successfully exploited by the Zombie Infection Kit and made to download a malicious executable. Because Java vulnerabilities accounted for 60 percent of infections, a surprising nine percent of all visitors were infected just by having an old version of java installed..."
Zombie infection kit - Success rates / IE6,7,8 - Java - Adobe PDF reader - Flash
- http://labs.m86security.com/wp-content/uploads/2010/10/zombie_nexp.png

:fear::fear:
 
Last edited:
Firefox 0-days...

FYI...

Firefox v3.6.12 released
- http://forums.spybot.info/showpost.php?p=387136&postcount=6
Critical
___

Firefox 0-days...
- http://isc.sans.edu/diary.html?storyid=9817
Last Updated: 2010-10-26 19:02:22 UTC - "... There is a 0-day vulnerability for Firefox, including the latest version. This vulnerability is already being exploited, so beware... The good thing is that Mozilla is quite fast on those and already confirmed the issue and is working to get it fixed*. The second one is related to an Firefox extension released yesterday. It is called Firesheep**. In summary, it is an addon that will make it really easy to basically anyone hack accounts by sniffing traffic on public hotspots, such as airports, coffee shops,etc...
* https://bugzilla.mozilla.org/show_bug.cgi?id=607222

* http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/
10.26.10

** http://www.pcworld.com/article/208727/firefox_addon_firesheep_brings_hacking_to_the_masses.html

- http://krebsonsecurity.com/2010/10/nobel-peace-prize-site-serves-firefox-0day/
October 26th, 2010

- http://www.symantec.com/connect/blogs/limited-firefox-zero-day-attack-wild
Oct. 27, 2010

- http://secunia.com/advisories/41957/
Last Update: 2010-10-28
Criticality level: Extremely critical
Impact: System access
Where: From remote
Solution: Update to Mozilla Firefox version 3.5.15 or 3.6.12 and Mozilla SeaMonkey version 2.0.10.

- http://securitytracker.com/alerts/2010/Oct/1024645.html
Oct 28 2010

:fear::fear:
 
Last edited:
Recent Browser updates ...

FYI...

'Need to stay on top of these updates - hacks do... so should you. If you haven't updated, -now- would be the time.

Recent Browser updates:

60 second check for updates here.
___

Multiple IE 0-day vulnerabilities...

IE drive-by bug ... "FixIt" available ...
- http://forums.spybot.info/showpost.php?p=393584&postcount=19
2011.01.12

IE/MHTML vuln ... "FixIt" available ...
- http://forums.spybot.info/showpost.php?p=395022&postcount=23
2011.01.28
___

Use stats
- http://www.w3schools.com/browsers/browsers_stats.asp

:fear:
 
Last edited:
Browser 'BITB' attack ...

FYI...

Browser 'BITB' attack...
- http://www.darkreading.com/taxonomy/index/printarticle/id/229218608
Feb. 14, 2011 - "... spin-off of the proxy Trojan, keylogger, and man-in-the-browser (MITB) attack. The "boy-in-the-browser" (BITB) attack... targeting users visiting their banks, retailers, and even Google... spotted in the wild. BITB is basically a "dumbed-down" MITB in which the attacker infects a user with its Trojan, either via a drive-by download or by luring the user to click on an infected link on a site... Imperva's advisory on the attacks is here*."
* http://www.imperva.com/resources/adc/adc_advisories_Boy_in_the_Browser.html
Feb. 14, 2011 - "... Nine Latin American banks were targeted..."

:fear::mad:
 
Motivation... Pwn2Own

FYI...

Safari, IE defeated, Chrome, Firefox Survive
Apple and Microsoft get "pwned" again at CanSecWest's Pwn2Own ...
- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=229300728
March 10, 2011 - "... Apple's timely release wasn't enough... security researchers from VUPEN, a penetration testing company based in France, defeated Safari 5.0.4 decisively... Internet Explorer 8 was also defeated... Google Chrome emerged unscathed... Mozilla's Firefox also survived..."

:blink:
 
Chrome targeted by malware...

FYI...

Malware authors target Google Chrome
- http://www.zdnet.com/blog/bott/malware-authors-target-google-chrome/3162
April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."
(Screenshots available at the URL above.)
* http://www.virustotal.com/file-scan...283be3661774e50d6ac570433d23eeb22b-1303383008
File name: InstallInternetProtection_611.exe
Submission date: 2011-04-21 10:50:08 (UTC)
Result: 8/42 (19.0%)

:mad:
 
SpyEye targets Opera, Google Chrome...

FYI...

SpyEye targets Opera, Google Chrome...
- http://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/
April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."
* http://krebsonsecurity.com/wp-content/uploads/2011/04/spychop.jpg

:mad: :mad:
 
WebGL - browser security flaw ...

FYI...


WebGL - browser security flaw...
- http://www.cio.com/article/681749/WebGL_Hit_By_Hard_to_Fix_Browser_Security_Flaw
May 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."
* http://www.contextis.com/resources/blog/webgl/
"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)
- http://www.theregister.co.uk/2011/05/11/chrome_firefox_security_threat/
"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

> https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers
___

WebGL Security Risks
- http://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html
10 May 2011
- http://www.h-online.com/security/news/item/WebGL-as-a-security-problem-1240567.html?view=zoom;zoom=2

:spider::fear:
 
Last edited:
WebGL security risks - updated ...

FYI...

WebGL security risks - updated
- http://www.contextis.com/resources/blog/webgl/faq/
11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."
(More detail at the contextis URL above.)

- https://www.us-cert.gov/current/archive/2011/05/10/archive.html#web_users_warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

:fear::fear:
 
Last edited:
IE 0-day - all versions...

FYI...

IE 0-day - all versions... cookiejacking
- http://www.informationweek.com/news/security/vulnerabilities/229700031?printer_friendly=this-page
May 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

- http://blog.trendmicro.com/contrary-to-reports-cookiejacking-presents-a-major-risk/
May 27, 2011

:fear::fear:
 
Last edited:
Facebook and M$ de-cloak Chrome...

FYI...

Facebook and M$ de-cloak Chrome ...
- http://blog.eset.com/2011/06/03/fac...ak-chrome-–-ms-neuters-their-privacy-advocate
June 3, 2011 - "What’s wrong with this picture?... I am using Google’s incognito mode and Clicker knows exactly who I am!... Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you. In October 2010 Gigaom.com posted an article http://gigaom.com/2010/10/13/bing-launches-facebook-instant-personalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that. It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing”... Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot. Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking... You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org/ * and running their test... It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook... Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do. The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy."
(Screenshot available at the eset URL above.)

:mad:
 
Chrome extensions leak data ...

FYI...

Chrome extensions leak data...
- http://www.informationweek.com/news/security/vulnerabilities/231602411?printer_friendly=this-page
September 29, 2011 - "A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots. Those findings come from a study being conducted by security researchers Nicholas Carlini and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension. The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more... attackers have turned their attention to exploiting vulnerabilities in the third-party code - including add-ons and extensions - used by browsers."

:fear::fear:
 
SpyEye hijacks SMS security...

FYI...

SpyEye hijacks SMS security...
- https://www.trusteer.com/blog/spyeye-changes-phone-numbers-hijack-out-band-sms-security
October 05, 2011 - "... recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge... This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques..."
(More detail available at the trusteer URL above.)

:mad:
 
HTML5 – The Ugly ...

FYI...

HTML5 – The Ugly ...
- http://blog.trendmicro.com/html5-the-ugly/
Nov. 30, 2011 - "... With HTML5, attacker(s) can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls. Stages of A Browser-Based Botnet Attack..."
(More detail at the trendmicro URL above.)...
___

Global malware view
Top attackers and domains distributing malware
- http://sucuri.net/global

:fear: :spider:
 
Last edited:
Exposed and vulnerable ...

FYI...

Exposed and vulnerable...

- http://www.zdnet.com/blog/security/...sing-the-web-with-insecure-java-versions/9541
October 4, 2011 - "... 31.3% of users were infected with the virus/malware due to missing security updates..."
Charted: http://i.zdnet.com/blogs/infection_browser_plugins.png

- http://www.csis.dk/en/csis/news/3321
2011-09-27 - "... users who unknowingly have been exposed to drive-by attacks have used the following web browsers..."
Charted: http://www.csis.dk/images/browser.Png

:fear: :fear:
 
Back
Top