Security News
Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites. "First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions."
Google released an update to its Chrome browser that patches a zero-day vulnerability in the software's FreeType font rendering library that was actively being exploited in the wild. Security researcher Sergei Glazunov of Google Project Zero discovered the bug which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType.
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Without revealing technical details of the vulnerability, the technical lead for Google's Project Zero Ben Hawkes warned on Twitter that while the team has only spotted an exploit targeting Chrome users, it's possible that other projects that use FreeType might also be vulnerable and are advised to deploy the fix included in FreeType version 2.10.4.
Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware. The issue stems from using malicious executable JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker's choice.
A set of address-bar spoofing vulnerabilities that affect a number of mobile browsers open the door for malware delivery, phishing and disinformation campaigns. "Essentially, if your browser tells you that a pop-up notification or a page is 'from' your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source. In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don't have much else to rely on."
Google has announced two new security initiatives: one is aimed at helping bug hunters improve the security of various browsers' JavaScript engines, the other at helping Android OEMs improve the security of the mobile devices they ship. "JavaScript engine security continues to be critical for user safety, as demonstrated by recent in-the-wild zero-day exploits abusing vulnerabilities in v8, the JavaScript engine behind Chrome. Unfortunately, fuzzing JavaScript engines to uncover these vulnerabilities is generally quite expensive due to their high complexity and relatively slow processing of input," noted Project Zero's Samuel Groß.
Rogue domain certificates have been mostly limited to bad actors acquiring what are called domain-validated certificates acquired for free from services such as Let's Encrypt. Domain-validation certificates are a bare-bones solution for securing communications between a web browser and a server using TLS encryption.
Google has stomped out several serious code-execution flaws in its Chrome browser. The high-severity flaws include an out-of-bounds read error in storage in Google Chrome.
The cross-site scripting flaws could allow attackers to execute JavaScript in targets' browsers. Including Adobe Experience Manager, Adobe fixed 18 flaws as part of its regularly scheduled September updates.
One very clear area where Vivaldi is absolutely superior to all other browsers is how it makes managing your history not only easy, but intuitive. Let me show you how easy it is to manage that history within Vivaldi.