Security News

Google just issued a Chrome update with a note that says, "This update includes 1 [critical] security fix." The bug itself is still a secret, even though the Chromium core of the Chrome browser is an open source project.

GitHub has released technical information on six vulnerabilities identified by one of its security researchers in the WebAudio component of Chrome. The researcher started looking for Chrome vulnerabilities while he was working for Semmle, which GitHub acquired last year for its code analysis platform.

Google has kicked 49 malicious Chrome browser extensions out of its Web Store that were posing as cryptocurrency wallets in order to drain the contents of bona fide wallets. On Tuesday, Harry Denley, MyCrypto Director of Security, said that malicious browser extensions aren't new, but the targets in this campaign are: they include the cryptocurrency wallets Ledger, Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.

Google has ousted 49 Chrome extensions from its Chrome Web Store because they contained malicious code, a ritual that should be familiar after a decade of purges. Some of the extensions, he said, were supported by fake five-star reviews; some internet good samaritans also tried to warn others that the extensions were malicious.

Google has ousted 49 Chrome browser extensions from its Web Store that masqueraded as cryptocurrency wallets but contained malicious code to siphon off sensitive information and empty the digital currencies. "Essentially, the extensions are phishing for secrets - mnemonic phrases, private keys, and keystore files," explained Harry Denley, director of security at MyCrypto.

Google has decided to keep support for the File Transfer Protocol in Chrome a bit longer, after initially saying it would completely remove it in Chrome 82. Due to the lack of support for secure connections or proxies, the implementation of FTP in Chrome creates security risks for users.

Researchers are warning of a remote overlay malware attack that leverages a fake Chrome browser plugin to target the accounts of banking customers in Spain. Grandoreiro is a type of remote overlay banking trojan, designed to help attackers overtake devices and display a full-screen overlay image when victim accesses their online banking account.

Most of the low-severity bugs were insufficient policy enforcements too, complemented by several inappropriate implementations, uninitialized use in WebRTC, and use-after-free in V8. Google says it paid over $26,000 in bug bounty rewards to the reporting security researchers, but the company has yet to disclose the exact amount it awarded for all of the externally reported vulnerabilities. Mozilla, which revisited the previous decision to disable TLS 1.0 and 1.1 in its browser, this week pushed Firefox 75 to the stable channel, packing it with six security patches for the desktop, and two patches targeting vulnerabilities specific to the Android platform.

Google last week announced that it has started rolling back a cross-site request forgery protection introduced in early February with the release of Chrome 80 in the stable channel. Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven't declared a SameSite value being treated as SameSite=Lax cookies.

On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux.