October 1, 2016

New Chrome and New Thunderbird – Multiple Vulnerabilities Fixed (Updated)

Google has released Chrome 9.0.597.107 for all platforms with a total of 19 security fixes which cost Google $14,000 under its Chromium Security Rewards program. To date Google has given away over $100,000 to ethical hackers who have found and reported security issues with Google’s browser.

The success of the Chrome rewards program led Google to launch a similar program for its Web services back in November. It covers XSS, CSRF, XSSI and other types of vulnerabilities.

Of the 19 fixes to Chrome, 16 where considered high priority by Google including a “URL bar spoof”. The details of the fixes haven’t yet been made public as Google restricts the access to the fix details until “the majority of Chrome users have updated to the latest patched version.”

Google isn’t the only one who has been updating its software. Mozilla has released a new version of its email client Thunderbird. According to its web site Thunderbird 3.1.8 contains several fixes to improve performance, stability and security. The improved stability includes a fix for a crash caused by corrupted JPEG image.

For a more detailed list of bug fixes, see the Rumbling Edge for a Thunderbird-focused list, or the complete list of changes in this version.

UPDATE: Mozilla has also released Firefox 3.5.17 with several security related fixes including a fix for CVE-2010-3777 a vulnerability which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

New Firefox Plugin to Combat Fake and Compromised Web Sites

Zscaler has released Safe Shopping, a free Firefox plugin to protect surfers from fake and compromised online stores.

Last September PandaLabs, Panda Security’s anti-malware laboratory, released the results of a three month investigation which discovered that that hackers are creating 57,000 new websites each week and exploit nearly 375 high-profile brand names worldwide at any given time.

As the number of hacked and fake online stores grows, more and more and users are unknowingly falling victim to such sites and often reveal sensitive information such as credit card numbers during their purchases.

Zscaler Safe Shopping is a free Firefox plugin, which warns users when they visit a suspected domain. The plugin is continually updated whenever new hacked or fake online stores are discovered.

Although most browsers contain blacklists to prevent users from accessing known malicious sites (e.g. Google Safe Browsing, Phishtank, etc) these blacklists generally target pages that have been hijacked to redirect to malicious sites, they don’t necessarily protect the surfer from legitimate looking sites (in terms of HTML, CSS and Javascript) which in fact are offering fake services or goods.

According to Julien Sobrier, senior researcher at Zscaler labs and developer of the new Safe Shopping plugin, “Blacklists have improved their detection of traditional attacks such as fake antivirus campaigns, but attackers are now shifting to fake and compromised storefronts, which are not being detected.”

Web Browser Tests Show IE Best at Detecting Socially-Engineered Malware

One of the most prevalent forms of malware on the Internet today is what is know as “socially-engineered malware” meaning malware that uses seemly benign links and/or trusted social networking sites (like Facebook® etc.) to trick visitors in to downloading and executing a piece of software that has malicious intent. Common examples of such seemly innocent programs are screen savers, video codec upgrades and free games.

Beginning in 2009, NSS Labs have been conducting tests on the leading web browsers to determine which browsers are most susceptible to socially-engineered malware. The Q3 2010 results have recently been published and the results are very interesting.

At the top of the leader board for protection surprisingly comes Internet Explorer. With a bad reputation over the years IE has often been pushed to one side in favor of Firefox, but these tests results portray IE in a new light. Internet Explorer 8 managed to block 90% of the malware but even more exceptional is that Internet Explorer 9 managed to catch 99% of the threats. These results are even more remarkable when compared to Firefox 3.6 which caught only 19% of the live threats which was actually a 10% decrease in protection from the Q1 2010 tests.

As for the rest of the browsers:  Safari 5 caught 11% of the threats, down 18% from Q1 2010. Google Chrome 6 caught 3% of the threats, down 14%  and Opera 10 caught nothing!

You can read the introduction to the group test here and you can download the full report (as a PDF) here.