Security News

Invisible characters could be hiding backdoors in your JavaScript code
2021-11-10 13:18

A security researcher has shed light on how invisible characters can be snuck into JavaScript code to introduce security risks, like backdoors, into your software. This week, a researcher has disclosed how certain characters could be injected into JavaScript code to introduce invisible backdoors and security vulnerabilities.

About 26% of all malicious JavaScript threats are obfuscated
2021-10-19 16:03

Obfuscation is when easy-to-understand source code is converted into a hard to understand and confusing code that still operates as intended. Obfuscation can be achieved through various means like the injection of unused code into a script, the splitting and concatenating of the code, or the use of hexadecimal patterns and tricky overlaps with function and variable naming.

FIN7 Hackers Using Windows 11 Themed Documents to Drop Javascript Backdoor
2021-09-06 03:16

A recent wave of spear-phishing campaigns leveraged weaponized Windows 11 Alpha-themed Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant, against a point-of-sale service provider located in the U.S. The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "Moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali. "The group's goal appears to have been to deliver a variation of a JavaScript backdoor used by FIN7 since at least 2018.".

Microsoft wonders if disabling just-in-time compilation of JavaScript improves browser security
2021-08-06 05:30

Microsoft is conducting an experiment it hopes will improve browser security - by making its Edge offering worse at running JavaScript. As explained in a post by Johnathan Norman, the vulnerability research lead for Microsoft Edge, JavaScript is the juiciest target when trying to crack a browser - because engines like Google's V8 and the just-in-time compilation techniques they employ use "a remarkably complex process that very few people understand" and have "a small margin for error" in the way they handles code.

Google Chrome now 23% faster after JavaScript engine improvements
2021-05-27 19:14

Google says the latest Google Chrome release comes with a significant performance boost due to newly added improvements to the open-source V8 JavaScript and WebAssembly engine. Google Chrome 91, which started rolling out earlier this week, is executing JavaScript code 23% faster with the inclusion of a new JavaScript compiler and the use of a new way to optimize the code's location in memory.

Firefox 88 patches bugs and kills off a sneaky JavaScript tracking trick
2021-04-20 18:04

The "Problem child" that Firefox just addressed is a lesser-known JavaScript variable called window. Specifying an existing tab name in the target of the link means that we can re-use the second tab for our new content, so that the example.com page opens up in the same NEWTAB tab, replacing the Naked Security content and avoiding the creation of a third tab.

Is it still possible to run malware in a browser using JavaScript and Rowhammer? Yes, yes it is (slowly)
2021-04-15 00:18

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH. Rowhammer refers to a technique that computer security researchers began to explore around 2014: "Hammering" RAM chips with a series of rapid write operations. Initially, Rowhammer attacks had to be conducted locally, though by 2016 [PDF], the technique had been refined to work remotely using JavaScript in, say, a web browser.

Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine
2021-04-14 17:02

Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine. One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates.

New JavaScript Exploit Can Now Carry Out DDR4 Rowhammer Attacks
2021-04-14 08:50

Academics from Vrije University in Amsterdam and ETH Zurich have published a new research paper describing yet another variation of the Rowhammer attack. "Despite their in-DRAM Target Row Refresh mitigations, some of the most recent DDR4 modules are still vulnerable to many-sided Rowhammer bit flips," the researchers said.

Office 365 phishing campaign uses publicly hosted JavaScript code
2021-04-08 13:16

A new phishing campaign targeting Office 365 users cleverly tries to bypass email security protections by combining chunks of HTML code delivered via publicly hosted JavaScript code. The subject of the phishing email says "Price revision" and it contains no body - just an attachment that, at first glance, looks like an Excel document, but is actually an HTML document that contains encoded text pointing to two URLs located yourjavascript.com, a free service for hosting JavaScript, and a separate chunk of HTML code.