Security News

The Mozilla Foundation fixed a flaw in its Firefox browser that allowed spoofing of the HTTPS secure communications icon, displayed as a padlock in the browser address window. Successful exploitation of the flaw could have allowed a rogue website to intercept browser communications.

This month, Mozilla has announced plans to phase out support for the Firefox web browser app on the Amazon Fire TV product line. Although Firefox will be no longer supported on Fire TV effective at the end of this month, Amazon Silk web browser app remains available to Fire TV users.

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH. Rowhammer refers to a technique that computer security researchers began to explore around 2014: "Hammering" RAM chips with a series of rapid write operations. Initially, Rowhammer attacks had to be conducted locally, though by 2016 [PDF], the technique had been refined to work remotely using JavaScript in, say, a web browser.

Google's FLoC mechanism for ad personalisation, currently being trialled in the Chrome browser, has been rejected as privacy-invasive tracking by other browser makers including Vivaldi and Brave. FLoC is part of what Google calls the Privacy Sandbox initiative, a proposal to "Support business models that fund the open web in the absence of tracking mechanisms like third-party cookies," according to now-retired Chrome engineering director Justin Schuh and product manager Marshall Vale in January.

Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine. One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates.

Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation. UPDATE: Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update.

Cracked copies of Microsoft Office and Adobe Photoshop are stealing browser session cookies and Monero cryptocurrency wallets from tightwads who install the pirated software, Bitdefender has warned. As many Reg readers will no doubt be aware, cracked software is a legitimate application that has had its registration or licensing features removed.

A researcher has made public a proof-of-concept exploit for a recently discovered vulnerability affecting Chrome, Edge and other Chromium-based web browsers. On April 7, at the Pwn2Own 2021 hacking competition, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for a remote code execution exploit that works against web browsers that are based on Google's open source Chromium project.

An Indian security researcher has publicly published a proof-of-concept exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. Released by Rajvardhan Agarwal, the working exploit concerns a remote code execution vulnerability in the V8 JavaScript rendering engine that powers the web browsers.

DuckDuckGo has launched a new browser extension for Chrome that will prevent FLoC, a new tracking technique used by Google to support web advertising without identifying users. Privacy browser DuckDuckGo has launched a new extension for Chrome that's designed to block Google's new algorithm for tracking users' browsing activity for ad selection.