Security News

Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks. Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "Anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team.

A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users. Due to this open system, it is becoming common for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.

Web browser vendors are planning to block a new attack technique that would allow attackers to bypass a victim's NAT, firewall, or router to gain access to any TCP/UDP service hosted on their devices. To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests.

The vulnerability is tied to Google's open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an "Inappropriate implementation in V8". Clement Lecigne of Google's Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a blog post announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. "Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild. CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android," he wrote.

Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update. The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on October 29.

Brave Browser, the privacy-focused web browser, announced today that it grew in usage by over 130% in its first year of the release of its 'Stable' version. On November 13th, 2019, Brave Browser released its first Stable version after it had already accumulated 8.7 million monthly active users and 3 million daily active users during its Beta period.

NetMarketShare announced on Sunday plans to shut down its public browser share reporting tool, which has been available for more than 14 years. According to Net Applications, the data provided by NetMarketShare is a primary source in "Tens of thousands of articles and publication".

Dubbed "Operation Earth Kitsune" by Trend Micro, the campaign involves the use of SLUB malware and two new backdoors - dneSpy and agfSpy - to exfiltrate system information and gain additional control of the compromised machine. Although previous operations involving SLUB used the GitHub repository platform to download malicious code snippets onto the Windows system and post the results of the execution to an attacker-controlled private Slack channel, the latest iteration of the malware has targeted Mattermost, a Slack-like open-source collaborative messaging system.

On Monday, Microsoft hastened its IE-to-Edge browser-transition strategy and announced new controls for users and IT staff when it comes to how the lame-duck browser will handle a growing list of websites incompatible with IE. Those include YouTube, Twitter, Yahoo Mail and 1,153 other leading internet destinations. As a point of reference, the Microsoft Edge web browser comes built into Windows 10.

Browser lockers are a type of redirection attack where web surfers will click on a site, only to be sent to a page warning them that their computer is infected with "a virus" or malware. In a recent, widespread campaign, cyberattackers are using Facebook to distribute malicious links that ultimately redirect to a browser locker page, according to researchers.