[Neobrahmigp] worth a read - google fixed issues in chrome
Bal Krishna Bal
bkbal at ltk.org.np
Fri Apr 21 16:44:09 UTC 2017
Sure, this is really a crucial issue. Thanks for sharing.
Regards,
Bal Krishna
On Fri, Apr 21, 2017 at 1:23 PM, Udaya Narayana Singh <unsciil51 at gmail.com>
wrote:
> This could be bv very scary if our LGRs are not handled properly.
>
> Regards,
>
> Udaya Narayana Singh
>
> On 21 Apr 2017 13:01, "Dr. AJAY D A T A" <ajay at data.in> wrote:
>
>> Please read this.. Its explaining one of the important reasons,, why we
>> need to have LGR - very important
>> =====================================================================
>>
>> Google fixed a handful of issues when it released the latest version of
>> its browser, Chrome 58, on Wednesday, including a vulnerability that could
>> have made it easier for an attacker to carry out a phishing attack with
>> Unicode domains.
>>
>> The vulnerability, based on Punycode
>> <https://en.wikipedia.org/wiki/Punycode> – a way to represent Unicode
>> with foreign characters – has been making headlines since it was
>> disclosed last Friday <https://www.xudongz.com/blog/2017/idn-phishing/>.
>> Discovered by Chinese researcher Xudong Zheng, the bug relies on tricking
>> Chrome into bringing users to sites that appear legitimate. The sites could
>> then convince victims to enter personal login or financial credentials.
>>
>> Zheng claims he disclosed the bug to Google on January 20 and that it was
>> incorporated into beta builds on March 24, before finally getting fixed on
>> Wednesday.
>>
>> The bug, considered medium severity, was one of 29 issues Google fixed
>> on Wednesday
>> <https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html>
>> .
>>
>> Three of the vulnerabilities were marked critical by Google, including a
>> heap use after free in the browser’s Print Preview feature, and a pair of
>> type confusion bugs – one in PDFium, Google’s open source PDF software
>> library, and another in Blink, Chromium’s rendering engine.
>>
>> Google paid out $14,000 to researchers for their findings, a relatively
>> modest sum after the company paid out nearly $55,000 in January
>> <https://threatpost.com/high-severity-chrome-vulnerabilities-earn-researcher-32k-in-rewards/123363/> for
>> bugs in Chrome 56, and $38,000 in March
>> <https://threatpost.com/google-chrome-57-browser-update-patches-high-severity-flaws/124235/> for
>> bugs in Chrome 57.
>>
>> The update came the same day that Mozilla pushed out a new version of its
>> browser, Firefox 53 and Firefox ESR 52.1
>> <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/>.
>>
>> Mozilla fixed six critical bugs with the update, including a pair of
>> out-of-bounds write vulnerabilities, a pair of use-after-free
>> vulnerabilities, a buffer overflow, and an origin confusion. If exploited,
>> all of the bugs, except for the origin confusion flaw, could have resulted
>> in a potentially exploitable crash. The origin confusion, which stemmed
>> from reloading pages with redirects, could have only led to a cross-site
>> scripting (XSS) attack.
>>
>> Forty-one vulnerabilities were fixed with the update. Counting the nearly
>> two dozen memory safety bugs fixed in the browser and ESR versions 45.9 and
>> 52.1., 64 vulnerabilities were fixed with the update.
>>
>> Zheng claims the same URL spoofing vulnerability that existed in Chrome
>> also exists in Firefox, but it appears Mozilla is holding off fixing it for
>> now.
>>
>> Gervase Markham, a software engineer for the Mozilla Foundation, said
>> earlier this week that Firefox users should turn on the browser’s Safe
>> Browsing feature to help thwart phishing attacks like the one uncovered by
>> Zheng. Markham, who’s also a lead developer of Bugzilla, said that if
>> Mozilla were to start putting restrictions on scripts that happen to look
>> like Latin, such as Cyrillic, it would be “making that script a
>> second-class citizen because not as much can be represented using it.”
>>
>> Zheng’s research relies on using Unicode characters, which can represent
>> Cyrillic and Greek alphabets, to mimic Latin letters and in turn trick
>> user’s eyes.
>>
>> “There is no perfect solution to this problem,” Markham wrote on
>> Bugzilla Tuesday
>> <https://bugzilla.mozilla.org/show_bug.cgi?id=1332714#c78>, “Human
>> languages are messy, inconsistent, and wonderful. Different scripts have
>> letters which clash with each other. If you don’t want to be attacked this
>> way, buy a domain in a TLD which doesn’t allow it. If your TLD does allow
>> it, lobby your registry. In the mean time, Firefox users have Safe Browsing
>> to protect them from actual phishing attempts, whether they use IDN
>> lookalikes or not.”
>>
>> Mozilla published a FAQ <https://wiki.mozilla.org/IDN_Display_Algorithm> dubbed
>> “IDN Display Algorithm” in response to the bug which Markham says clearly
>> illustrates the organization’s stance.
>>
>> “You may not agree with it, but it’s our considered position, so please
>> do not comment further here unless you have new information to add which
>> you genuinely believe has not been considered,” Markham wrote.
>>
>> Zheng is encouraging Firefox users to limit their exposure to the bug by
>> going to the browser’s about:config settings and setting
>> network.IDN_show_punycode to true. By doing this Firefox will always
>> display IDN domains in its Punycode form, something that should make it
>> easier to identify malicious domains, the researcher claims
>>
>>
>>
>> Do not Remove:
>> [HID]20170421130046583[-HID]
>>
>> _______________________________________________
>> Neobrahmigp mailing list
>> Neobrahmigp at icann.org
>> https://mm.icann.org/mailman/listinfo/neobrahmigp
>>
>>
> _______________________________________________
> Neobrahmigp mailing list
> Neobrahmigp at icann.org
> https://mm.icann.org/mailman/listinfo/neobrahmigp
>
>
--
....
Bal Krishna Bal, PhD
Assistant Professor
Lead Researcher
Information and Language Processing Research Lab
Department of Computer Science and Engineering
Kathmandu University
Dhulikhel, Kavre
HomePage: http://ku.edu.np/cse/faculty/bal
Chief Scientist
Language Technology Kendra
Lalitpur, PatanDhoka
http://ltk.org.np
Nepal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/neobrahmigp/attachments/20170421/b6893865/attachment.html>
More information about the Neobrahmigp
mailing list