Category Archives: browser

Mozilla Fixes Harmful Arbitrary Code Execution Error in Firefox

Mozilla released an update current week for Firefox 58 fixes a harmful vulnerability that remote cyberpunk can exploit an arbitrary code execution. Johann Hofmann, the developer at Mozilla, had discovered that arbitrary code execution is probable due to infect output in the browser UI.

The susceptibility, trailed as CVE-2018-5124, marks Firefox versions 56 over 58 and it has been patched with the announced of Firefox 58.0.1. Mozilla stated clearly that Firefox for Android and Firefox 52 ESR are not influenced. Linux dispersals have also begun driving out updated settings that contain the patch.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” Cisco said in an advisory describing this flaw. “An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

Mozilla recently released Firefox 58, this January 23, fixes more than about thirty susceptibilities, containing a possibly consumable use-after-free flaw and different memory security concerns that have been regarded harmful. Firefox 58 also states over a high serious errors, containing use-after-free, buffer excess, and integer excess flaws. A vulnerability that lets WebExtensions to avoid user quick to download and open a randomly data file has also been defined as high condition of being severe.

About ten of these security issues were also stated previously current month in the Thunderbird email customer with the version 52.6. Mozilla released figured out that the errors naturally cannot be oppressed beside Thunderbird using particularly crafted emails.

Mozilla functions a bug bounty program file for Firefox and the company entitles it has spent about $1 million to professionals who stated susceptibilities. Cyberpunk can produce about $3,000 and $7,500 for harmful and high serious errors in Mozilla software, however a novel feat or practice of mistreat can make more than $10,000. Mozilla recompenses errors exposed in its websites and services with up to $5,000 moreover to its software flaw bounty program. The company states that it had spent a roughly amount total of $3 million across its flaw bounty programs.

Tracker Blocking Firefox 58 Arrives With Faster Browsing and Patches Security Flaws

The latest version of the Firefox 58 launches and the browser features on the current fix known as Firefox Quantum, version 57 of Mozilla’s browser. Firefox developers identified speed perfections from the new WebAssembly and compiler developments in Firefox 58.

Mozilla has also enhanced the mode Firefox concentrates graphics “launching an improved engine that more efficiently paints your screen, using a dedicated CPU thread” and caches JavaScript to support pages load quicker. In the meantime, Firefox on Android enhancements new support increasing Progressive Web Apps to the home screen to practice like native apps. Company is also encouraging a reinvigorated Tracking Protection capability. It showed two years ago in Private Mode but Firefox 57 permitted users to allow the privacy feature at all times.

Mozilla states assessments show that allowing it all the time in fact speeds up page loads. It’s also accessible on Firefox for iOS and Android. Firefox’s future yet subject to heavily on improved implementation on mobile platforms and given the comparative decline of PCs. Mozilla has nipped Firefox on Android’s bookmarking capability to make it easier to sight, form, and make new folders, and transfer bookmarks into different folders.

Firefox on Android now exhibits a house-shaped button in the address bar for Progressive Web Apps – PWA when users visit a website. Addition of the app to the home screen is to provide tapping the house button. Mozilla has added a short video demo on YouTube of the ‘Add to Home Screen’ highlight on YouTube. The homescreen icons show a small Firefox badge below right corner. On opening Firefox, each PWA opens as a distinct entry in the app switcher. The recent updates to Mozilla’s Firefox for two alternatives of the prevalent Meltdown and Spectre errors, Firefox 58 stated an additional 32 susceptibilities, including of four severe, 13 high, 13 moderate, and three low harmful bugs.

One of the harmful bugs can shallow during a WebRTC assembly to systems that practice DTMF or Dual-Tone Multi-Frequency signals. DTMF signals were practiced in ‘touch tone’ phones to have diverse tones signify buttons on a keypad. Computers can use DTMF in the framework of WebRTC, while applying a command to a teleconferencing system. The bug outcomes in a possibly vulnerable crash.

Mozilla developers also identified a group of memory security bugs in Firefox 57 that showed to be a memory exploitation issue that could, with certain struggle, be act to run random code. The Firefox ESR 52.6 release comprises patches for 11 of the bugs patched in Firefox 58, containing the harmful WebRTC error and severe memory security bugs.

Mozilla Announces: ‘Web-Accessible’ Attributes Require ‘Secure Contexts’

Mozilla has confirmed to additional securing down the Internet with the declaration that developers can only acquire new Firefox attributes from what it demands “secure contexts”. The determination means that websites willing to fingerprint or sneak on users with Web characteristics will still be competent to, however only over HTTPS. Outside sneaks will thus be omitted.

The statement was released few days ago in this blog post published by Mozilla developer Anne van Kesteren. Whereas HTTPS has turned into a close-default for severe websites, developers occasionally leave “bells-and-whistles” attributes on HTTP; even transferring all the images a site tweaks from a distinct server can be puzzling.

However, Mozilla has an extended-upright drive to discard HTTP anywhere probable, so “all new features that are web-exposed are to be restricted to secure contexts”.

The announcement means that in the Mozilla environment, a group of W3C APIs can’t be acquired over an unprotected connection. Rendering to Sophos, the attributes and APIs contain geolocation (hindered since previous year), Bluetooth, HTTP/2, Web notifications, Webcam and microphone access, Google’s Brotli compression and Accelerated Mobile Pages, encoded media extensions, the payment demand API, and different “service workers” practiced in background sync and statement.

Van Kesteren wrote that the test for which features and APIs needed secure contexts is that they’re Web-exposed: “Web-exposed means that the feature is observable from a web page or server, whether through JavaScript, CSS, HTTP, media formats, etc. A feature can be anything from an extension of an existing IDL-defined object, a new CSS property, a new HTTP response header, to bigger features such as WebVR.

“In contrast, a new CSS colour keyword would likely not be restricted to secure contexts.”

El Reg indicates that certain of the interfaces exist threats even if they’re only practiced on encoded links. The Bluetooth API has been complained as hostile, and previous year secrecy researcher Lukasz Olejnik recognized concerning information disclosures in the Web Payments API.

Harmful Chrome Extensions Influenced Over Half Million Users

According to a report by ICEBRG, over half a million users became the victim by four harmful Chrome extensions that impacted across the world, including workers of major organizations. Such extensions were probably practiced to conduct click scam and/or search engine optimization (SEO) management, but they could have also been costumed by attack to acquire access to commercial networks and manipulator information, the security company informs.

ICEBRG further exposes the harmful extensions were revealed after detecting an uncommon spike in outbound movement volume from a client workstation to a European VPS provider. The HTTP traffic was connected with the domain ‘change-request[.]info’ and was created from a Chrome extension entitled Change HTTP Request Header. Whereas the extension itself does not enclose “any overtly malicious code,” the researchers revealed the group of “two items of concern that” could cause in the injection and implementation of random JavaScript code via the extension.

Chrome can implement JavaScript code enclosed within JSON however, due to safety anxieties, extensions aren’t permitted to recover JSON from an outward source, but require to openly demand its use via the Content Security Policy (CSP). When the approval is granted, but, the extension can recover and process JSON from an outwardly-organized server, that lets extension authors to insert and perform random JavaScript code when the update server obtains a demand.

The ICEBRG researchers had revealed the Change HTTP Request Header extension could download complicated JSON files from ‘change-request[.]info’, via an ‘update_presets()’ function. The complicated code was detected inspecting for native Chrome debugging implements and stopping the workup of the affected section if such tools were spotted. After inoculation, the harmful JavaScript makes a WebSocket tunnel with ‘change-request[.]info’ and practices it to proxy perusing traffic via the user’s browser.

“During the time of observation, the threat actor utilized this capability exclusively for visiting advertising related domains indicating a potential click fraud campaign was ongoing. Click fraud campaigns enable a malicious party to earn revenue by forcing victim systems to visit advertising sites that pay per click (PPC),” ICEBRG reports.

The competence, still, can also be practiced by the attack to peruse interior sites of user networks, therefore successfully avoiding perimeter controls. The researchers of Security also exposed that Change HTTP Request Header wasn’t the only Chrome extension aimed to function in this way. Nyoogle – Custom Logo for Google, Lite Bookmarks, and Stickies – Chrome’s Post-it Notes demonstrate comparable strategies, methods, and measures (TTPs) and feature the similar command and control (C&C). The Sickies extension was also experienced consuming a diverse code inoculation pathway, but inoculating JavaScript code approximately similar to that of other harmful extensions. It seems that the extension has a history of harmful conduct, as it was noticed in early 2017 to be employing the new code inoculation procedure resulting an update.

“The inherent trust of third-party Google extensions, and accepted risk of user control over these extensions, allowed an expansive fraud campaign to succeed. In the hands of a sophisticated threat actor, the same tool and technique could have enabled a beachhead into target networks,” ICEBRG notes.

The harmful actor behind them has a significant pool of properties to practice for financial gain and allowing for the total installed victim base of these harmful Chrome extensions. Google, the National Cyber Security Centre of The Netherlands (NCSC-NL), the United States Computer Emergency Readiness Team (US-CERT), and clients who were immediately influenced have been attentive on the issue.

Your Real IP Addresses can be Leaked by Harmful TOR Browser

Tor browser had raised an emergency security bug fix issue for a critical vulnerability. It is capable to leak users’ IP addresses while they visit specific sorts of addresses. The flaw occurred in the browser was reported by Filippo Cavallarin, the CEO of We Are Segment security firm and dubbed TorMoil.

Image Source

About Vulnerability

Although, it was a temporary the segment has not revealed the whole facts of the exploit. The bug still remains present only in the macOS and Linux versions of the browser. They have announced that once they got a suitable fix for the flaw, it will be shared by all the users. Such users who use the alpha channel are recommended to at once upgrade as 7.0.9 or 7.5a7 version.

“Due to a Firefox bug in handling file:// URLs it is possible on both systems that users leak their IP address. Once an affected user navigates to a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser,” the ethical hacking company explained, and said that they will refrain from disclosing the exploit and more details about the flaw until a proper fix is put in place.

The fixes comprised in the above-mentioned versions of Tor Browser for macOS and Linux is a not permanent work-around.

“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes,” Tor Browser developers noted.

Such fixes is merely a temporary and can overcome soon and it halts the functionality of few browsers.

 As the developers noted, “navigating file:// URLs in the browser might not work as expected anymore,” and users will have to drag the link into the URL bar or on a tab to make it work.

They also describe that they are not conscious of this vulnerability being oppressed in the wild. But, we cannot just ignore the fact. The users of Linux and macOS should upgrade their browsers to 7.0.9 or 7.5a7 version. Also, the Windows version of Tor Browser has not been disturbed by the vulnerability nor is the Sandboxed Tor Browser or Tails.

The Tor Project

The Tor Project offered the next-generation of its onion service system happened last week. It will remain in owing time, supersede the bequest system completely.

“The new system is a well needed improvement that fixes many shortcomings of the old design, and builds a solid foundation for future onion work,” the developers noted. “On the cryptography side, we are looking at cutting-edge crypto algorithms and improved authentication schemes. On the protocol end, we redesigned the directory system to defend against info leaks and reduce the overall attack surface. Now, from an engineer’s perspective, the new protocol is way more extensible and features a cleaner codebase. And finally from the casual user’s PoV, the only thing that changes is that new onions are bigger, tastier and they now look like this: 7fa6xlti5joarlmkuhjaifa47ukgcwz6tfndgax45ocyn4rixm632jid.onion.”

The Upcoming Firefox Browser version will Block Canvas Fingerprinting

Mozilla decides to block the canvas fingering feature from the Firefox browser in the upcoming version. They have rented in another similar feature from Tor Browser. This way, Firefox 58 version will block attempts to canvas fingerprint users who use the HTML5 element. Firefox has provided privacy protection measures to the users and canvas fingerprinting has been employed since long by the marketing and promotion industry for tracking their users.

Image Source

Browser Fingerprinting

Browser fingerprinting is a privacy protection feature which has been serving as an alternative to browser cookies through the websites. The web analytics service make sure to detect the users and identify their online activities. You will find a large number of browsers using fingerprinting techniques. But, Mozilla calls it the issue of Canvas Fingerprinting which works by utilizing HTML5 browser’s canvas element.

The process of this element works like this. When a user appears on a website, it sends message to his browser for providing the concealed text or graphical image on a secret canvas element. Thus, the outcome is take out and a hash of it turns into the fingerprint of the web browser. The specific fingerprint has been shared among all the promotional advertising partners. This way, it uses to identify at the time when user appears on affiliated websites. Thus, a profile of browsing habits of the user is generated, and used for aiming advertising types.

Therefore, canvas fingerprinting serves accordingly because every browser and the mechanism has a precise hardware and software configuration is installed on it. The accomplishment of the website’s demand will effect in several ways to provide services for different and probably exclusive fingerprints. Few browsers fingerprinting efforts can be stopped by using specific types of add-ons such as Privacy Badger or DoNotTrackMe in combination using list from ad blocks.

Modification of Firefox

Firefox will turn into the first significant browsers to perform such a thing nearly this abundant online tracking method. The current modification of Firefox will require websites to prompt users for gaining permission before they can excerpt canvas data. This entirely new feature has been here over four years after the Tor Browser applied an alternative to permit the users to avoid canvas fingerprinting. It is the result of a continuing effort to apply all privacy and security patches of Tor Browser into Firefox.

Mozilla has created a history of efforts to avert online tracking of the user. Firefox 52 has stopped permitting the websites to get access the Battery Status API. The information is ideal to offer about the device used by the visitor and also to apply the safety against font fingerprinting system. Firefox 58 will be released in January 2018 and is ready to bring change set to occur with it is the elimination of WoSign and StartCom root certificates from Mozilla’s root store.

A conversation has been constantly moving on whether Firefox should carry on believing the certificates which were signed by the Staat der Nederlanden Root CA and the Dutch national CA. To bring about a new law that would permit intelligence and security to seize internet traffic and to employ False Keys in third party systems for acquiring the rights to systems and data.