[Neobrahmigp] worth a read - google fixed issues in chrome

Dr. AJAY D A T A ajay at data.in
Fri Apr 21 07:30:59 UTC 2017


  


Please read this.. Its explaining one of the important reasons,, why we need to have LGR - very important=====================================================================Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains .
The vulnerability, based on Punycode &ndash a way to represent Unicode with foreign characters &ndash has been making headlines since it was disclosed last Friday. Discovered by Chinese researcher Xudong Zheng, the bug relies on tricking Chrome into bringing users to sites that appear legitimate. The sites could then convince victims to enter personal login or financial credentials .
Zheng claims he disclosed the bug to Google on January 20 and that it was incorporated into beta builds on March 24, before finally getting fixed on Wednesday .
The bug, considered medium severity, was one of 29 issues Google fixed on Wednesday .
Three of the vulnerabilities were marked critical by Google, including a heap use after free in the browser&rsquos Print Preview feature, and a pair of type confusion bugs &ndash one in PDFium, Google&rsquos open source PDF software library, and another in Blink, Chromium&rsquos rendering engine .
Google paid out $14,000 to researchers for their findings, a relatively modest sum after the company paid out nearly $55,000 in January for bugs in Chrome 56, and $38,000 in March for bugs in Chrome 57 .
The update came the same day that Mozilla pushed out a new version of its browser, Firefox 53 and Firefox ESR 52.1 .
Mozilla fixed six critical bugs with the update, including a pair of out-of-bounds write vulnerabilities, a pair of use-after-free vulnerabilities, a buffer overflow, and an origin confusion. If exploited, all of the bugs, except for the origin confusion flaw, could have resulted in a potentially exploitable crash. The origin confusion, which stemmed from reloading pages with redirects, could have only led to a cross-site scripting (XSS) attack .
Forty-one vulnerabilities were fixed with the update. Counting the nearly two dozen memory safety bugs fixed in the browser and ESR versions 45.9 and 52.1., 64 vulnerabilities were fixed with the update .
Zheng claims the same URL spoofing vulnerability that existed in Chrome also exists in Firefox, but it appears Mozilla is holding off fixing it for now .
Gervase Markham, a software engineer for the Mozilla Foundation, said earlier this week that Firefox users should turn on the browser&rsquos Safe Browsing feature to help thwart phishing attacks like the one uncovered by Zheng. Markham, who&rsquos also a lead developer of Bugzilla, said that if Mozilla were to start putting restrictions on scripts that happen to look like Latin, such as Cyrillic, it would be &ldquomaking that script a second-class citizen because not as much can be represented using it.&rdquo
Zheng&rsquos research relies on using Unicode characters, which can represent Cyrillic and Greek alphabets, to mimic Latin letters and in turn trick user&rsquos eyes .
&ldquoThere is no perfect solution to this problem,&rdquo Markham wrote on Bugzilla Tuesday, &ldquoHuman languages are messy, inconsistent, and wonderful. Different scripts have letters which clash with each other. If you don&rsquot want to be attacked this way, buy a domain in a TLD which doesn&rsquot allow it. If your TLD does allow it, lobby your registry. In the mean time, Firefox users have Safe Browsing to protect them from actual phishing attempts, whether they use IDN lookalikes or not.&rdquo
Mozilla published a FAQ dubbed &ldquoIDN Display Algorithm&rdquo in response to the bug which Markham says clearly illustrates the organization&rsquos stance .
&ldquoYou may not agree with it, but it&rsquos our considered position, so please do not comment further here unless you have new information to add which you genuinely believe has not been considered,&rdquo Markham wrote .
Zheng is encouraging Firefox users to limit their exposure to the bug by going to the browser&rsquos about:config settings and setting network.IDN_show_punycode to true. By doing this Firefox will always display IDN domains in its Punycode form, something that should make it easier to identify malicious domains, the researcher claims


 


Do not Remove:
[HID]20170421130046583[-HID]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/neobrahmigp/attachments/20170421/38fca7eb/attachment.html>


More information about the Neobrahmigp mailing list