Browsers under attack - archive

[AplusWebMaster]

FYI...

Malware authors target Google Chrome
- http://www.zdnet.com/blog/bott/malwa...le-chrome/3162
April 21, 2011 - "... malware authors have begun preying on users of alternative browsers to push dangerous software, including Trojans and scareware. The problem is that most malware attacks aren’t triggered by exploits that target vulnerabilities in code. Instead, according to one recent study, “users are four times more likely to come into contact with social engineering tactics as opposed to a site serving up an exploit.” I found a perfect example yesterday, thanks to an alert from Silverlight developer Kevin Dente. He had typed in a simple set of search terms—Silverlight datagrid reorder columns—at Google.com, using the Google Chrome browser on Windows... The first page of Google search results included several perfectly good links, but the sixth result was booby trapped... That led to a basic social engineering attack, but this one has a twist. It was customized for Chrome. If you’ve ever seen a Google Chrome security warning, you’ll recognize the distinctive, blood-red background, which this malware author has duplicated very effectively... After the fake scan is complete, another dialog box comes up, warning that “Google Chrome recommends you to install proper software”... When I submitted it to VirusTotal.com*, only five of the 42 engines correctly identified it as a suspicious file..."
(Screenshots available at the URL above.)
* http://www.virustotal.com/file-scan/...22b-1303383008
File name: InstallInternetProtection_611.exe
Submission date: 2011-04-21 10:50:08 (UTC)
Result: 8/42 (19.0%)

[AplusWebMaster]

FYI...

SpyEye targets Opera, Google Chrome...
- http://krebsonsecurity.com/2011/04/s...-chrome-users/
April 26, 2011 - "The latest version of the SpyEye trojan includes new capability specifically designed to steal sensitive data from Windows users surfing the Internet with the Google Chrome and Opera Web browsers*... Many people feel more secure using browsers like Chrome and Opera because they believe the browsers’ smaller market share makes them less of a target for cyber crooks. This latest SpyEye innovation is a good reminder that computer crooks are constantly looking for new ways to better monetize the resources they’ve already stolen..."
* http://krebsonsecurity.com/wp-conten...04/spychop.jpg

[AplusWebMaster]

FYI...


WebGL - browser security flaw...
- http://www.cio.com/article/681749/We..._Security_Flaw
May 9, 2011 - "The WebGL graphics technology turned on by default in Firefox and Chrome poses a serious security risk*... WebGL will not, however, run reliably on an unknown number of graphics cards, including Intel's integrated graphics and most ATI chipsets... Disabling WebGL varies from browser to browser but in Firefox involves setting a required value to "false" using the about:config command."
* http://www.contextis.com/resources/blog/webgl/
"... enabled by -default- in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari..." (Flowchart available at the contextis.com URL above.)
- http://www.theregister.co.uk/2011/05...curity_threat/
"... In Firefox 4, type “about:config” (minus the quotes) into the address bar and set webgl.disabled to true. In Chrome, get to the command line of your operating system and add the --disable-webgl flag to the Chrome command. On a Windows machine, the command line would be "chrome.exe --disable-webgl".

> https://wiki.mozilla.org/Blocklistin...aphics_Drivers
___

WebGL Security Risks
- http://www.us-cert.gov/current/archi...warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

- http://www.h-online.com/security/new...m-1240567.html
10 May 2011
- http://www.h-online.com/security/new...ew=zoom;zoom=2

[AplusWebMaster]

FYI...

WebGL security risks - updated
- http://www.contextis.com/resources/blog/webgl/faq/
11 May 2011 - "... we are releasing the following further information to aid in the understanding of the issues... in the longer term, Context believes that browser vendors should, by default, disable WebGL from within their web browsers. We would like to see functionality included that would allow users to opt-in for WebGL applications that they trust on a case by case basis... reported these issues and other vulnerabilities to the Mozilla Security group who has raised a number of internal bug reports regarding the issues that we have found, including issues that we have -not- publicly disclosed. They have also passed the information onto Google for Chrome. The Mozilla Security Group has been very receptive to the issues that we have raised and have been very responsive to our concerns."
(More detail at the contextis URL above.)

- https://www.us-cert.gov/current/arch...warned_to_turn
May 10, 2011 - "... disable WebGL to help mitigate the risks..."

[AplusWebMaster]

FYI...

IE 0-day - all versions... cookiejacking
- http://www.informationweek.com/news/...ndly=this-page
May 26, 2011 - "... All versions of Internet Explorer on all versions of Windows are affected by the 0-day vulnerability, and are thus susceptible to cookiejacking. As the name implies, the attack is similar to clickjacking attacks, which trick users into clicking on innocuous-looking graphics or videos, to trigger arbitrary code execution. Cookiejacking takes that type of attack one step further, adding the zero-day vulnerability and some trickery to steal any cookie from a user's PC... To be successful, however, the attack must incorporate two details. First, it needs to know the victim's Windows username, to find the correct path to where cookies are stored... Second, an attacker needs to know which Windows operating system their victim is using, as each one stores cookies in different locations. Browsers, however, typically reveal this information via their navigator.userAgent object..."

- http://blog.trendmicro.com/contrary-...-a-major-risk/
May 27, 2011

[AplusWebMaster]

FYI...

Facebook and M$ de-cloak Chrome ...
- http://blog.eset.com/2011/06/03/face...ivacy-advocate
June 3, 2011 - "What’s wrong with this picture?... I am using Google’s incognito mode and Clicker knows exactly who I am!... Facebook “Instant Personalization” destroys Google Chrome’s “Incognito mode”. There is nothing incognito about opening a clean browser with no cookies and going to a website you have never visited before and being called by name with your picture on the web page. Facebook and “Instant Personalization” partner sites deliberately ignores your obvious and explicit instructions NOT to track you. In October 2010 Gigaom.com posted an article http://gigaom.com/2010/10/13/bing-la...rsonalization/ that claimed “Microsoft today launched social search features for Bing created in partnership with Facebook. The two companies are teaming up to take on their common enemy: Google.” Perhaps there is truth to that. It is mind-boggling that Microsoft’s Bing ran an end game around the Microsoft Internet Explorer team by also defeating IE9’s “InPrivate Browsing”... Mozilla was caught in the crossfire as Microsoft and Facebook sneak around Firefox’s Private browsing feature as well. Apple’s Safari browser’s privacy mode was also hunted down and shot. Let’s call it like it is. Facebook rolls out a “feature” that deliberately over-rides a user’s explicitly expressed desire to browse in privacy without tracking... You might be interested to see how much information your browser reveals by going to https://panopticlick.eff.org/ * and running their test... It is true that in the above example “Clicker.com” does offer to let me disable their unauthorized Facebook enabled spying, however this does not happen until private browsing has already been subverted by Facebook... Having worked at Microsoft I can imagine how completely frustrating it must be for internal Microsoft privacy advocates to have to stand idle and watch Bing override Internet Explorer’s “InPrivate” browsing feature. Perhaps for IE10 Microsoft can make more open labels and claims of what the browser can really do. The whole issue would have been avoided had Facebook had the decency to let users choose BEFORE they sabotage your browser and privacy."
(Screenshot available at the eset URL above.)

[AplusWebMaster]

FYI...

Chrome extensions leak data...
- http://www.informationweek.com/news/...ndly=this-page
September 29, 2011 - "A review of 100 Google Chrome extensions, including the 50 most popular selections, found that 27% of them contain one or more vulnerabilities that could be exploited by attackers either via the Web or unsecured Wi-Fi hotspots. Those findings come from a study being conducted by security researchers Nicholas Carlini and Prateek Saxena at University of California, Berkeley. In particular, they analyzed the 50 most popular Chrome extensions, as well as 50 others selected at random, for JavaScript injection vulnerabilities, since such bugs can enable an attacker to take complete control of an extension. The researchers found that 27 of the 100 extensions studied contained one or more injection vulnerabilities, for a total of 51 vulnerabilities across all of the extensions. The researchers also said that seven of the vulnerable extensions were used by 300,000 people or more... attackers have turned their attention to exploiting vulnerabilities in the third-party code - including add-ons and extensions - used by browsers."

[AplusWebMaster]

FYI...

SpyEye hijacks SMS security...
- https://www.trusteer.com/blog/spyeye...d-sms-security
October 05, 2011 - "... recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge... This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques..."
(More detail available at the trusteer URL above.)

[AplusWebMaster]

FYI...

HTML5 – The Ugly ...
- http://blog.trendmicro.com/html5-the-ugly/
Nov. 30, 2011 - "... With HTML5, attacker(s) can now create a botnet which will run on any OS, in any location, on any device. Being heavily memory-based, it barely touches the disk, making it difficult to detect with traditional file-based antivirus. JavaScript code is also very easy to obfuscate, so network IDS signature will also have a very hard time. Finally, being web-based, it will easily pass through most firewalls. Stages of A Browser-Based Botnet Attack..."
(More detail at the trendmicro URL above.)...
___

Global malware view
Top attackers and domains distributing malware
- http://sucuri.net/global

[AplusWebMaster]

FYI...

Exposed and vulnerable...

- http://www.zdnet.com/blog/security/3...-versions/9541
October 4, 2011 - "... 31.3% of users were infected with the virus/malware due to missing security updates..."
Charted: http://i.zdnet.com/blogs/infection_browser_plugins.png

- http://www.csis.dk/en/csis/news/3321
2011-09-27 - "... users who unknowingly have been exposed to drive-by attacks have used the following web browsers..."
Charted: http://www.csis.dk/images/browser.Png