News

Web Browser Security

• December 13, 2019 13 Dec'19

  Google expands multiple Chrome password protection features

  Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company.

• November 07, 2019 07 Nov'19

  SSL certificate abuse drives growing number of phishing attacks

  Phishing attacks against the United Nations and humanitarian organizations show how threat actors are weaponizing valid SSL certificates and how hard it is to stop the abuse.

• November 06, 2019 06 Nov'19

  Firefox bug is enabling attackers to freeze out users

  A recently reported bug in Firefox allows spammed authentication dialogs to lock users out of their browsers and it is under attack in the wild, despite previous efforts to patch.

• September 20, 2019 20 Sep'19

  Sinkholed Magecart domains resurrected for advertising schemes

  Security vendor RiskIQ discovered several old Magecart domains that had been sinkholed were re-registered under new owners and are now engaged in fraudulent advertising activity.

• July 17, 2019 17 Jul'19

  E-commerce platforms used for domain spoofing against Best Buy

  Despite efforts to flag spoofed domains imitating Best Buy, the sites are still active on e-commerce platforms like Shopify and GearLaunch, which have not taken them down.

• April 30, 2019 30 Apr'19

  Inside 'Master134': Propeller Ads connected to malvertising campaign

  A SearchSecurity investigation determined ad network Propeller Ads played a significant role in the early stages of the Master134 malvertising campaign.

• April 30, 2019 30 Apr'19

  Inside 'Master134': ExoClick tied to previous malvertising campaigns

  Online ad network ExoClick denied any involvement in the Master134 campaign, but the company has ties to similar malvertising threats.

• April 30, 2019 30 Apr'19

  'Master134' malvertising campaign raises questions for online ad firms

  Malvertising and adware schemes are a growing concern for enterprises. Our deep investigation into one campaign reveals just how complicated threats can be to stop.

• April 30, 2019 30 Apr'19

  Inside the 'Master134' malvertising campaign

  This six-part series examines the unique malvertising campaign known as Master134 and the role that various digital advertising networks played in the threat.

• April 30, 2019 30 Apr'19

  Inside 'Master134': Adsterra's history shows red flags, abuses

  Adsterra denied it was involved in the Master134 malvertising campaign, but a review of the company's history reveals many red flags, including activity in a similar campaign.

• April 30, 2019 30 Apr'19

  Inside 'Master134': Ad networks' 'blind eye' threatens enterprises

  Online ad networks linked to the Master134 malvertising campaign and other malicious activity often evade serious fallout and continue to operate unabated.

• April 30, 2019 30 Apr'19

  Inside 'Master134': More ad networks tied to malvertising campaign

  Check Point's report on the Master134 malvertising campaign implicated five ad networks, but a SearchSecurity investigation revealed more companies were involved.

• February 01, 2019 01 Feb'19

  Google planning warnings for lookalike URLs in Chrome

  Google is planning to add warnings on lookalike URLs in an ongoing effort to ensure internet users experience useful and clear warnings while using the Chrome browser.

• December 21, 2018 21 Dec'18

  Microsoft patches Internet Explorer zero-day bug under attack

  News roundup: Microsoft issues an emergency patch for an Internet Explorer bug exploited in the wild. Plus, authorities indict three individuals for 'stresser' services, and more.

• October 12, 2018 12 Oct'18

  Mozilla delays distrust of Symantec TLS certificates, Google doesn't

  Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year's notice, approximately 13,000 websites still use the insecure certificates.

• September 26, 2018 26 Sep'18

  Controversial Chrome login feature to be partially rolled back

  Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature.

• September 26, 2018 26 Sep'18

  Browser Reaper POC exploit crashes Mozilla Firefox

  A security researcher developed a proof-of-concept attack on Firefox, called Browser Reaper, which can crash or freeze the browser. But he gave Mozilla short notice of the flaw.

• September 25, 2018 25 Sep'18

  Google Chrome sign-in changes cause confusion and concern

  Google Chrome sign-in changes are being criticized by experts, and poor communication from Google has led to more confusion about user privacy and consent.

• August 16, 2018 16 Aug'18

  Finalized TLS 1.3 update has been published at last

  The finalized TLS 1.3 update has been published after a four-year process. The new protocol promises to be faster and more secure than its predecessor, TLS 1.2.

• July 13, 2018 13 Jul'18

  Chrome site isolation arrives to mitigate Spectre attacks

  In an effort to mitigate the risk of Spectre attacks, Google Chrome site isolation has been enabled for 99% of browser users to minimize the data that could be gleaned by an attacker.

• July 09, 2018 09 Jul'18

  How did an old, unpatched Firefox bug expose master passwords?

  A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it.

• June 29, 2018 29 Jun'18

  WebAssembly updates may cancel out Meltdown and Spectre fixes

  News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more.

• June 08, 2018 08 Jun'18

  Apple plans to disable Facebook web tracking capabilities

  News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more.

• March 27, 2018 27 Mar'18

  TLS 1.3 update is finalized with encryption upgrade

  The IETF approves the TLS 1.3 encryption protocol upgrade after four years and 28 versions; improvements include better security and performance, as well as middlebox support.

• March 21, 2018 21 Mar'18

  Firefox bug exposes passwords to brute force -- for nine years

  A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years.

• February 27, 2018 27 Feb'18

  Ad network cryptojacking attack bypasses ad blockers

  Qihoo 360's Netlab team discovered an online ad network has been bypassing ad blockers and running cryptomining software in the browsers of unsuspecting visitors.

• February 21, 2018 21 Feb'18

  Google discloses Microsoft Edge vulnerability without a patch

  Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw.

• February 07, 2018 07 Feb'18

  Grammarly vulnerability exposed user documents

  A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched.

• December 29, 2017 29 Dec'17

  Browser login managers allow tracking scripts to steal credentials

  News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more.

• December 19, 2017 19 Dec'17

  Flawed Keeper password manager preinstalled on Windows 10

  Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials.

• November 03, 2017 03 Nov'17

  Certificate authority business undergoes major changes

  News roundup: Comodo and Symantec sales signal important changes in the certificate authority business. Plus, an Oracle vulnerability gets a CVSS score of 10.0, and more.

• August 18, 2017 18 Aug'17

  Hijacked Chrome extensions infect millions of users

  News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more.

• August 03, 2017 03 Aug'17

  Symantec Website Security, certificate authority business sold to DigiCert

  DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates.

• July 20, 2017 20 Jul'17

  Industry reacts to Symantec certificate authority trust remediation

  As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives.

• July 19, 2017 19 Jul'17

  Symantec agrees to transfer certificate issuance to third party

  Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1.

• July 13, 2017 13 Jul'17

  Symantec certificate authority business reportedly for sale

  As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business.

• July 10, 2017 10 Jul'17

  WoSign CA certificates get end-of-trust date in Chrome

  Google to distrust all WoSign CA certificates in Chrome starting in September, as the troubled certificate authority passed a key audit and is seeking a new CEO to help return trust.

• June 14, 2017 14 Jun'17

  Symantec CA remediation plan faces more delays

  The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community.

• May 05, 2017 05 May'17

  TLS client authentication ensures secure IoT connection

  The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections.

• May 02, 2017 02 May'17

  Mozilla: Symantec certificate remediation plan not enough

  Mozilla reviews the counterproposal from Symantec and urges the CA giant to opt for Google's recommendation to outsource its certificate activities.

• April 25, 2017 25 Apr'17

  Symantec certificate authority issues, answered

  Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust.

• April 12, 2017 12 Apr'17

  Symantec CA woes debated by browser community

  Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers.

• March 31, 2017 31 Mar'17

  HTTPS traffic has yet to surpass HTTP traffic, Fortinet study shows

  News roundup: HTTPS traffic has yet to surge, despite its security benefits, according to a report. Plus, the latest in the Apple extortion; a Mirai attack lasted 54 hours; and more.

• March 29, 2017 29 Mar'17

  Potential SSL API flaw could reveal private keys

  A researcher claims to have found Symantec SSL API issues with extremely dangerous consequences, but a lack of evidence causes confusion.

• March 24, 2017 24 Mar'17

  Google considers options on Symantec certificate authority 'failures'

  Symantec certificate authority cries foul, as Google considers severe options following the company allegedly misissuing as many as 30,000 digital certificates.

• March 23, 2017 23 Mar'17

  DV certificates abused, but policing may not be possible

  Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue.

• March 06, 2017 06 Mar'17

  FBI chooses to protect Tor vulnerability and dismiss child porn case

  The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected.

• February 28, 2017 28 Feb'17

  Edge and IE vulnerability disclosed by Project Zero

  Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available.

• January 25, 2017 25 Jan'17

  Project Zero finds Cisco WebEx vulnerability in browser extensions

  A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack.

• December 16, 2016 16 Dec'16

  Google and Microsoft herald death of Flash with default browser blocks

  Microsoft followed Google's lead in promising to block Flash Player content by default in some situations and experts say the moves should expedite the death of Flash.

• December 16, 2016 16 Dec'16

  Vulnerable websites make up half of the internet's top sites

  News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more.

• December 14, 2016 14 Dec'16

  Facebook Certificate Transparency Monitoring tool will help secure web

  A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.

• December 07, 2016 07 Dec'16

  Exploit kit delivered via malvertising targets unpatched systems

  A malvertising campaign could put millions at risk of attack as the Stegano exploit kit is being delivered by this new method and is targeting unpatched systems.

• November 21, 2016 21 Nov'16

  Sunset for SHA-1 certificates, as Google firms up plans for deprecation

  As the internet prepares for deprecation of the obsolete secure hashing algorithm, Google and other browser companies prepare to drop support for SHA-1 certificates.

• October 31, 2016 31 Oct'16

  Mandatory certificate transparency for Chrome trust starts Oct 2017

  Certificate transparency compliance will be mandatory for publicly trusted website certificates in order to be considered secure by Google's Chrome browser.

• October 28, 2016 28 Oct'16

  Mozilla drops WoSign as trusted certificate authority, adopts TLS 1.3

  Mozilla boots WoSign as a trusted certificate authority for backdating SHA-1 certs and other controversial behavior, and it prepares to add default support for TLS 1.3 in 2017.

• October 21, 2016 21 Oct'16

  Mozilla set to dump SHA-1 certificates by early 2017

  Roundup: Firefox browser will reject SHA-1 certificates as soon as Mozilla announces further details relating to the deprecation of the outdated algorithm; plus, Oracle patches and more.

• October 14, 2016 14 Oct'16

  Certificate revocation list error strands sites signed by GlobalSign

  Attempting to tidy its root certificates, a mis-issued GlobalSign certificate revocation list left website owners scrambling to address cert errors, restore safe browsing icons.

• September 09, 2016 09 Sep'16

  Google to tweak Chrome browser security in 2017, flag HTTP as insecure

  Google's campaign to encrypt the web continues, as Chrome browser security will flag any sites using HTTP for passwords or payment info as insecure, starting in 2017.

• August 09, 2016 09 Aug'16

  Browser vulnerabilities, Office flaws lead August 2016 Patch Tuesday

  Microsoft's August 2016 Patch Tuesday focuses on critical browser vulnerabilities in Edge and Internet Explorer, as well as flaws with Microsoft Office and PDF Library.

• May 13, 2016 13 May'16

  FBI asked for responsible disclosure of Tor vulnerability

  A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymize users during a criminal investigation.

• January 28, 2016 28 Jan'16

  Oracle closing an attack vector by deprecating the Java browser plug-in

  Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own.

• January 08, 2016 08 Jan'16

  Warning: Internet Explorer end of life for 8, 9 and 10 on Tuesday

  Internet Explorer end of life is on the way for three versions of Microsoft's Web browser, and enterprises need to understand which versions of Windows will still be supported.

• January 07, 2016 07 Jan'16

  MD5 vulnerability renews calls for faster SHA-256 transition

  Researchers have found a new way to exploit an MD5 vulnerability to put users at risk, and experts say this is all the more reason to move faster in transitioning to SHA-256.

• December 14, 2015 14 Dec'15

  Symantec asks browser makers to distrust one of its root certificates

  Symantec announced it will retire one of its root certificates because it was based on older security, and Google made sure users knew the risks.

• October 19, 2015 19 Oct'15

  Adobe patches Flash zero-day used in foreign ministry attacks

  Adobe has released an emergency patch for Flash zero-day vulnerabilities that have been exploited in the wild in attacks on foreign affairs ministries.

• September 22, 2015 22 Sep'15

  Certificate Transparency catches bad digital certificates from Symantec

  Symantec testers created unauthorized Extended Validation certificates, but the bad certificates were caught by the Certificate Transparency log.

• September 18, 2015 18 Sep'15

  Cisco router malware in the wild more widespread than first believed

  News roundup: Additional research shows a Cisco router implant affects more devices than originally reported. Plus: Let's Encrypt's first cert issued; Tor in the library; the mitigated (but not fixed) iOS AirDrop vulnerability.

• July 31, 2015 31 Jul'15

  Tor anonymity called into question as alternative browser surfaces

  News roundup: New threats add to the Tor anonymity debate, as a new browser aims to take anonymous browsing to the next level. Plus: Android security outlook is bad -- or is it? Also, another Xen host escape flaw and Wassenaar revisions put on hold.

• July 02, 2015 02 Jul'15

  Why Web browser security is a goldmine for attackers

  Video: Robert 'RSnake' Hansen of WhiteHat Security discusses Web browser security, third-party software vulnerabilities and the sad state of browser security throughout the industry.

• June 09, 2015 09 Jun'15

  June 2015 Patch Tuesday brings critical IE security fix, Flash update

  Microsoft's June 2015 Patch Tuesday features eight bulletins, including a critical update for Internet Explorer and Windows Media Player. Plus: Adobe releases fix for 13 Flash vulnerabilities.

• June 05, 2015 05 Jun'15

  Facebook, Google, Mozilla raise the bar with new user privacy controls

  News roundup: New settings and options to boost user privacy and security are emerging on major websites, but is it enough?

• May 22, 2015 22 May'15

  2015 DDoS attacks on the rise, attackers shift tactics

  News roundup: New research highlights the changing nature of DDoS attack frequency and methodology. Plus: New malware strains double in second half of 2014; two new address bar spoofing vulnerabilities.

• May 20, 2015 20 May'15

  Google changes Chrome extension policy amid security concerns

  Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.

• May 15, 2015 15 May'15

  Will Microsoft Edge security features make up for past sins?

  News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.

• May 07, 2015 07 May'15

  Inside the WhiteHat Aviator Web browser controversy

  Robert 'Rsnake' Hansen of WhiteHat Security discusses the Aviator Web browser, why Google lashed out against it, the challenges of browser security and lessons learned for developing secure software.

• April 24, 2015 24 Apr'15

  Insecure SSL coding could lead to Android man-in-the-middle attacks

  Researchers have found thousands of apps that feature insecure coding practices in implementing SSL protocols, which could lead to Android man-in-the-middle attacks.

• April 10, 2015 10 Apr'15

  Chrome security under fire from third-party extension

  Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.

• March 25, 2015 25 Mar'15

  Major browser makers revoke unauthorized Chinese TLS certificates

  Google, Microsoft, and Mozilla have revoked unauthorized TLS certificates issued by an intermediate certificate authority that could have been used in man-in-the-middle attacks.

• March 05, 2015 05 Mar'15

  Microsoft confirms Windows vulnerable to FREAK attack

  The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.

• February 20, 2015 20 Feb'15

  Maintaining vendor trust proves tough for Lenovo, Microsoft

  News roundup: Amid hidden add-ons, discontinued services and walled gardens, vendor trust proves elusive for several high-profile tech firms. Plus: Evidence ties North Korea to Sony Pictures hack; card brands boost cybersecurity; and cookies that ...

• February 20, 2015 20 Feb'15

  Flaws in alternative Android browsers pose underestimated risk

  Exclusive: VerSprite research on 10 alternative Android browsers has found at least one major security vulnerability in all of them, posing a significant security risk for enterprise Android users.

• February 06, 2015 06 Feb'15

  Same-origin policy IE vulnerability may signal new attack trend

  A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.

• February 02, 2015 02 Feb'15

  Adobe Flash patch promised this week for new zero-day bug

  Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.

• January 30, 2015 30 Jan'15

  Will YouTube HTML5 transition mean the end of Flash security issues?

  News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.

• December 19, 2014 19 Dec'14

  Surviving the Sony Pictures hack: Is the company's future in jeopardy?

  News roundup: As it copes with a devastating, unprecedented cyberattack, Sony Pictures' future as a company could be on the line. Plus: "Operation Cleaver"; labeling HTTP websites "insecure"; and a surge in phishing with malicious links.

• October 31, 2014 31 Oct'14

  Verizon's mobile persistent cookie is more trick than treat

  News roundup: Verizon gave its mobile users an early Halloween trick: a cookie that cannot be erased, despite a number of privacy concerns. Also: compromising an air-gapped computer over the air; an alleged government-funded hack against a CBS ...

• September 08, 2014 08 Sep'14

  Heartbleed patch efforts ignored on thousands of websites

  Data from McAfee shows many organizations have yet to fully patch the Heartbleed vulnerability, and as many as 300,000 websites remain at risk.

• August 18, 2014 18 Aug'14

  Exploit kits put Silverlight security issues in focus

  Silverlight security issues will demand more attention as attackers increasingly target the plug-in, leaving users vulnerable to various exploits.

• June 04, 2014 04 Jun'14

  Recent barrage of IE zero days highlights risk for enterprises

  Despite a torrent of recent Internet Explorer zero-days, experts cautioned that the flaws aren't a true gauge of the browser's security.

• May 21, 2014 21 May'14

  Microsoft fails to address IE zero day before public disclosure

  Though notified of the IE zero day months ago, Microsoft failed to address the vulnerability before it was made public.

• May 21, 2014 21 May'14

  Vulnerable applications, plug-ins remain juicy targets

  As attackers increasingly target e-commerce websites, vulnerable applications and third-party plug-ins represent an easy avenue of exploitation.

• May 01, 2014 01 May'14

  Microsoft issues out-of-band patch for 'use-after-free' IE zero day

  Microsoft's out-of-band patch for the 'use-after-free' IE zero day offered a fix for Windows XP, which is now being actively targeted.

• April 02, 2014 02 Apr'14

  Safari security update includes fix for 2014 Pwn2Own hack

  The Safari security update addresses a number of remotely exploitable vulnerabilities and includes a fix for a hack from the Pwn2Own competition.

• March 21, 2014 21 Mar'14

  HealthCare.gov security issues: Lessons learned for enterprises

  Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.

• March 18, 2014 18 Mar'14

  Despite Pwn2Own 2014 hacks, application sandboxing still critical

  Researchers at the 2014 Pwn2Own contest bypassed application sandboxing repeatedly, proving even the most secure applications can be vulnerable.

• February 14, 2014 14 Feb'14

  FireEye finds active watering hole attack using IE zero-day exploit

  FireEye first reported that the zero-day exploit affecting IE 9 and 10 is part of a watering hole attack utilizing the U.S. VFW's website.

• October 07, 2013 07 Oct'13

  How the Firefox Health Report improves enterprise browser security

  Expert Michael Cobb discusses the ins and outs of the Firefox Health Report, and the implications it has for browser security and enterprise security.

• October 03, 2013 03 Oct'13

  October 2013 Patch Tuesday to include four critical vulnerabilities

  Microsoft's October Patch Tuesday expected to resolve four critical vulnerabilities, with experts hoping a recent high-profile IE zero-day is patched.

• September 18, 2013 18 Sep'13

  Microsoft offers temporary fix for Internet Explorer zero-day

  Microsoft provides an Internet Explorer fix after confirming a vulnerability affecting all versions of the Web browser is being actively exploited.