Symantec Antivirus Crashed Chrome 78 (zdnet.com) 23
According to the antivirus maker, the issues are only affecting SEP 14 users on Windows 10 RS1, Windows Server 2012, and Windows Server 2016 operating systems. Symantec users on other OS versions can fix this by updating to the latest SEP 14.2 release. Users of Microsoft Edge Chromium are also impacted, but the Chromium-based Edge version has not been officially released; hence there are almost no users impacted by this issue in the real world...
Symantec blamed the issue on Microsoft's Code Integrity security feature, which Google uses to protect the Chrome browser process. As a temporary solution, Symantec recommends that users exclude Chrome from receiving protection from their antivirus product, or modify their Chrome clients, so the browser starts without Code Integrity protections. However, this opens the browser to various attacks and is not recommended as long as users can simply use another browser until this is fixed.
ZDNet adds that the issue "should have not surprised Symantec staff, who received early warnings about this more than three months ago, according to a bug report filed in early August while Chrome 78 was still in testing in the Canary channel."
Microsoft Might Bring Its Edge Browser To Linux (zdnet.com) 93
Chrome, of course, is already available for Linux, so Microsoft should be able to deliver Chromium-based Edge to Linux distributions with minimal fuss.... [I]n June Microsoft Edge developers said there are "no technical blockers to keep us from creating Linux binaries" and that it is "definitely something we'd like to do down the road". Despite Chrome's availability on Linux, the Edge team noted there is still work to be done on the installer, updaters, user sync, and bug fixes, before it could be something to commit to properly.
Slashdot reader think_nix shared a link to the related survey that the Edge team has announced on Twitter. "If you're a dev who depends on Linux for dev, testing, personal browsing, please take a second to fill out this survey."
Attackers Exploit New 0-day Vulnerability Giving Full Control of Android Phones (arstechnica.com) 26
An anonymous reader quotes Ars Technica: Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox...."
Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."
The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren't explained in the post, the patches never made their way into Android security updates.
Chrome Promises 'No More Mixed Messages About HTTPS ' (chromium.org) 46
It notes that Chrome users already make HTTPS connections for more than 90% of their browsing time, and "we're now turning our attention to making sure that HTTPS configurations across the web are secure and up-to-date." In a series of steps outlined below, we'll start blocking mixed content (insecure http:// subresources on https:// pages) by default. This change will improve user privacy and security on the web, and present a clearer browser security UX to users...
HTTPS pages commonly suffer from a problem called mixed content, where subresources on the page are loaded insecurely over http://. Browsers block many types of mixed content by default, like scripts and iframes, but images, audio, and video are still allowed to load, which threatens users' privacy and security. For example, an attacker could tamper with a mixed image of a stock chart to mislead investors, or inject a tracking cookie into a mixed resource load. Loading mixed content also leads to a confusing browser security UX, where the page is presented as neither secure nor insecure but somewhere in between. In a series of steps starting in Chrome 79, Chrome will gradually move to blocking all mixed content by default. To minimize breakage, we will autoupgrade mixed resources to https://, so sites will continue to work if their subresources are already available over https://. Users will be able to enable a setting to opt out of mixed content blocking on particular websites...
Starting in December of 2019, Chrome 79 will include a new setting to unblock mixed content on specific sites. "This setting will apply to mixed scripts, iframes, and other types of content that Chrome currently blocks by default..."
Then in Chrome 80, mixed audio and video resources will be autoupgraded to https://, and if they fail to load Chrome will block them by default.
Apple Neutered Ad Blockers In Safari, But Unlike Chrome, Users Didn't Say a Thing (zdnet.com) 94
The reason may have to do with the fact that Apple is known to have a heavy hand in enforcing rules on its App Store, and that developers who generally speak out are usually kicked out. It's either obey or get out. Unlike in Google's case, where Chrome is based on an open-source browser named Chromium and where everyone gets a voice, everything at Apple is a walled garden, with strict rules. Apple was never criticized for effectively "neutering" or "killing ad blockers" in the same way Google has been all this year. In Google's case, the pressure started with extension developers, but it then extended to the public. There was no public pressure on Apple mainly because there aren't really that many Safari users to begin with. With a market share of 3.5%, Safari users aren't even in the same galaxy as Chrome and its 65% market lead.
Furthermore, there is also the problem of public perception. When Apple rolled out a new content blocking feature to replace the old Safari extensions and said it was for everyone's privacy -- as extensions won't be able to access browsing history -- everyone believed it. On the other hand, ads are Google's life blood, and when Google announced updates that limited ad blockers, everyone saw it a secret plan for a big corp to keep its profits intact, rather than an actual security measure, as Google said it was.
Password-Leaking Bug Purged From LastPass Extensions (arstechnica.com) 8
On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."
Firefox 69 Ratchets Up Tracking Protection, Switching it On by Default (cnet.com) 31
Microsoft Is Killing EPUB Support In Edge Classic (thurrott.com) 68
Microsoft provides a more grammatically correct explanation for the change on its Microsoft Edge support site, which notes that "Microsoft Edge will no longer support e-books that use the .epub file extension." The site also links to the same terrible Microsoft Store area, but adds that "you can expect to see more added over time as we partner with companies like the DAISY Consortium to add additional, accessible apps... These apps are expected to be available in the Microsoft Store after September 2019." Given that, it's likely that EPUB support will disappear in Edge classic sometime after those apps appear in the Store.
Microsoft's Chromium-Powered Edge Browser Moves Closer To Release With New Beta Build (thurrott.com) 36
Google Plans To Remove All FTP Support From Chrome (mspoweruser.com) 119
In a post (via Techdows), Google, today announced its intention to deprecate FTP support starting with Chrome v80. The main issue with FTP right now is security and the protocol doesn't support encryption which makes it vulnerable and Google has decided it's no longer feasible to support it.
Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates (bleepingcomputer.com) 56
In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.
With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
Google's Plans for Chrome Extensions 'Won't Really Help Security', Argues EFF (eff.org) 35
As both security experts and the developers of extensions that will be greatly harmed by Manifest V3, we're here to tell you: Google's statement just isn't true. Manifest V3 is a blunt instrument that will do little to improve security while severely limiting future innovation... The only part of Manifest V3 that goes directly to the heart of stopping DataSpii-like abuses is banning remotely hosted code. You can't ensure extensions are what they appear to be if you give them the ability to download new instructions after they're installed.
But you don't need the rest of Google's proposed API changes to stop this narrow form of bad extension behavior. What Manifest V3 does do is stifle innovation...
The EFF makes the following arguments Google's proposal:
- Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit
- Manifest V3 won't change anything about how "content scripts" work...another way to extract user browsing data.
- Chrome will still allow users to give extensions permission to run on all sites.
In response Google argued to Forbes that the EFF "fails to account for the proposed changes to how permissions work. It is the combination of these two changes, along with others included in the proposal, that would have prevented or significantly mitigated incidents such as this one."
But the EFF's technology projects director also gave Forbes their response. "We agree that Google isn't killing ad-blockers. But they are killing a wide range of security and privacy enhancing extensions, and so far they haven't justified why that's necessary."
And in the same article, security researcher Sean Wright added that Google's proposed change "appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help."
The EFF suggests Google just do a better job of reviewing extensions.
Google Just Stopped Displaying 'www' and 'https' In Chrome's Address Bar (techrepublic.com) 185
However the announcement provoked a fresh wave of criticism, from those who say the move will confuse users and even potentially make it easier for them to inadvertently connect to fake sites... There are also some who claim Google's motivation in changing how the URL is displayed may be to make it harder for users to tell whether they are on a page hosted on Google's Accelerated Mobile Pages subdomain...
Google says it has also built a Chrome extension that doesn't obfuscate the URL to "help power users recognize suspicious sites and report them to Safe Browsing". Despite the backlash from some online, Chrome isn't the first browser to truncate the URL in this way, with Apple's Safari similarly hiding the full address.
Google Reveals Fistful of Flaws In Apple's iMessage App (bbc.com) 41
Apple's own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it. Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google's other discoveries as well as a further range of glitches and threats. One of the two Google researchers involved - Natalie Silvanovich - intends to share more details of her findings at a presentation at the Black Hat conference in Las Vegas next month.
Chrome 76 Arrives With Flash Blocked By Default (venturebeat.com) 87
In 80 Days, Google Will Require Chrome Extensions To Request 'The Least Amount of Data' (pcmag.com) 40
The risks prompted Google to work toward securing the 180,000+ Chrome extensions on the company's official web store. "We're requiring extensions to only request access to the least amount of data," the company said in a Tuesday blog post. "While this has previously been encouraged of developers, now we're making this a requirement for all extensions."