[Neobrahmigp] worth a read - google fixed issues in chrome

Fri Apr 21 07:38:03 UTC 2017

This could be bv very scary if our LGRs are not handled properly.

Regards,

Udaya Narayana Singh

On 21 Apr 2017 13:01, "Dr. AJAY D A T A" <ajay at data.in> wrote:

> Please read this.. Its explaining one of the important reasons,, why we
> need to have LGR - very important
> =====================================================================
>
> Google fixed a handful of issues when it released the latest version of
> its browser, Chrome 58, on Wednesday, including a vulnerability that could
> have made it easier for an attacker to carry out a phishing attack with
> Unicode domains.
>
> The vulnerability, based on Punycode
> <https://en.wikipedia.org/wiki/Punycode> – a way to represent Unicode
> with foreign characters – has been making headlines since it was
> disclosed last Friday <https://www.xudongz.com/blog/2017/idn-phishing/>.
> Discovered by Chinese researcher Xudong Zheng, the bug relies on tricking
> Chrome into bringing users to sites that appear legitimate. The sites could
> then convince victims to enter personal login or financial credentials.
>
> Zheng claims he disclosed the bug to Google on January 20 and that it was
> incorporated into beta builds on March 24, before finally getting fixed on
> Wednesday.
>
> The bug, considered medium severity, was one of 29 issues Google fixed on
> Wednesday
> <https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html>
> .
>
> Three of the vulnerabilities were marked critical by Google, including a
> heap use after free in the browser’s Print Preview feature, and a pair of
> type confusion bugs – one in PDFium, Google’s open source PDF software
> library, and another in Blink, Chromium’s rendering engine.
>
> Google paid out $14,000 to researchers for their findings, a relatively
> modest sum after the company paid out nearly $55,000 in January
> <https://threatpost.com/high-severity-chrome-vulnerabilities-earn-researcher-32k-in-rewards/123363/> for
> bugs in Chrome 56, and $38,000 in March
> <https://threatpost.com/google-chrome-57-browser-update-patches-high-severity-flaws/124235/> for
> bugs in Chrome 57.
>
> The update came the same day that Mozilla pushed out a new version of its
> browser, Firefox 53 and Firefox ESR 52.1
> <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/>.
>
> Mozilla fixed six critical bugs with the update, including a pair of
> out-of-bounds write vulnerabilities, a pair of use-after-free
> vulnerabilities, a buffer overflow, and an origin confusion. If exploited,
> all of the bugs, except for the origin confusion flaw, could have resulted
> in a potentially exploitable crash. The origin confusion, which stemmed
> from reloading pages with redirects, could have only led to a cross-site
> scripting (XSS) attack.
>
> Forty-one vulnerabilities were fixed with the update. Counting the nearly
> two dozen memory safety bugs fixed in the browser and ESR versions 45.9 and
> 52.1., 64 vulnerabilities were fixed with the update.
>
> Zheng claims the same URL spoofing vulnerability that existed in Chrome
> also exists in Firefox, but it appears Mozilla is holding off fixing it for
> now.
>
> Gervase Markham, a software engineer for the Mozilla Foundation, said
> earlier this week that Firefox users should turn on the browser’s Safe
> Browsing feature to help thwart phishing attacks like the one uncovered by
> Zheng. Markham, who’s also a lead developer of Bugzilla, said that if
> Mozilla were to start putting restrictions on scripts that happen to look
> like Latin, such as Cyrillic, it would be “making that script a
> second-class citizen because not as much can be represented using it.”
>
> Zheng’s research relies on using Unicode characters, which can represent
> Cyrillic and Greek alphabets, to mimic Latin letters and in turn trick
> user’s eyes.
>
> “There is no perfect solution to this problem,” Markham wrote on Bugzilla
> Tuesday <https://bugzilla.mozilla.org/show_bug.cgi?id=1332714#c78>,
> “Human languages are messy, inconsistent, and wonderful. Different scripts
> have letters which clash with each other. If you don’t want to be attacked
> this way, buy a domain in a TLD which doesn’t allow it. If your TLD does
> allow it, lobby your registry. In the mean time, Firefox users have Safe
> Browsing to protect them from actual phishing attempts, whether they use
> IDN lookalikes or not.”
>
> Mozilla published a FAQ <https://wiki.mozilla.org/IDN_Display_Algorithm> dubbed
> “IDN Display Algorithm” in response to the bug which Markham says clearly
> illustrates the organization’s stance.
>
> “You may not agree with it, but it’s our considered position, so please do
> not comment further here unless you have new information to add which you
> genuinely believe has not been considered,” Markham wrote.
>
> Zheng is encouraging Firefox users to limit their exposure to the bug by
> going to the browser’s about:config settings and setting
> network.IDN_show_punycode to true. By doing this Firefox will always
> display IDN domains in its Punycode form, something that should make it
> easier to identify malicious domains, the researcher claims
>
>
>
> Do not Remove:
> [HID]20170421130046583[-HID]
>
> _______________________________________________
> Neobrahmigp mailing list
> Neobrahmigp at icann.org
> https://mm.icann.org/mailman/listinfo/neobrahmigp
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/neobrahmigp/attachments/20170421/d4155a29/attachment-0001.html>