Web Browser Security
- December 13, 2019
Chrome's updated, built-in protections are intended to help users protect their passwords and data against malware, data breaches and phishing sites, according to the company.
- November 07, 2019
Phishing attacks against the United Nations and humanitarian organizations show how threat actors are weaponizing valid SSL certificates and how hard it is to stop the abuse.
- November 06, 2019
A recently reported bug in Firefox allows spammed authentication dialogs to lock users out of their browsers and it is under attack in the wild, despite previous efforts to patch.
- September 20, 2019
Security vendor RiskIQ discovered several old Magecart domains that had been sinkholed were re-registered under new owners and are now engaged in fraudulent advertising activity.
- July 17, 2019
Despite efforts to flag spoofed domains imitating Best Buy, the sites are still active on e-commerce platforms like Shopify and GearLaunch, which have not taken them down.
- April 30, 2019
A SearchSecurity investigation determined ad network Propeller Ads played a significant role in the early stages of the Master134 malvertising campaign.
- April 30, 2019
Online ad network ExoClick denied any involvement in the Master134 campaign, but the company has ties to similar malvertising threats.
- April 30, 2019
Malvertising and adware schemes are a growing concern for enterprises. Our deep investigation into one campaign reveals just how complicated threats can be to stop.
- April 30, 2019
This six-part series examines the unique malvertising campaign known as Master134 and the role that various digital advertising networks played in the threat.
- April 30, 2019
Adsterra denied it was involved in the Master134 malvertising campaign, but a review of the company's history reveals many red flags, including activity in a similar campaign.
- April 30, 2019
Online ad networks linked to the Master134 malvertising campaign and other malicious activity often evade serious fallout and continue to operate unabated.
- April 30, 2019
Check Point's report on the Master134 malvertising campaign implicated five ad networks, but a SearchSecurity investigation revealed more companies were involved.
- February 01, 2019
Google is planning to add warnings on lookalike URLs in an ongoing effort to ensure internet users experience useful and clear warnings while using the Chrome browser.
- December 21, 2018
News roundup: Microsoft issues an emergency patch for an Internet Explorer bug exploited in the wild. Plus, authorities indict three individuals for 'stresser' services, and more.
- October 12, 2018
Mozilla delays plans to distrust Symantec TLS certificates in Firefox because despite more than one year's notice, approximately 13,000 websites still use the insecure certificates.
- September 26, 2018
Google will modify the next version of Chrome in an attempt to appease critics of the browser's cookie retention functionality and automatic Chrome login feature.
- September 26, 2018
A security researcher developed a proof-of-concept attack on Firefox, called Browser Reaper, which can crash or freeze the browser. But he gave Mozilla short notice of the flaw.
- September 25, 2018
Google Chrome sign-in changes are being criticized by experts, and poor communication from Google has led to more confusion about user privacy and consent.
- August 16, 2018
The finalized TLS 1.3 update has been published after a four-year process. The new protocol promises to be faster and more secure than its predecessor, TLS 1.2.
- July 13, 2018
In an effort to mitigate the risk of Spectre attacks, Google Chrome site isolation has been enabled for 99% of browser users to minimize the data that could be gleaned by an attacker.
- July 09, 2018
A Firefox bug went undetected for nine years. Expert Michael Cobb explains how it enabled attackers to access the browser's master password and what's being done to mitigate it.
- June 29, 2018
News roundup: Upcoming WebAssembly updates may undo the Meltdown and Spectre mitigations. Plus, FireEye denied claims it 'hacked back' China, and more.
- June 08, 2018
News roundup: Apple wants to protect its users from Facebook web tracking with the next version of Safari. Plus, genealogy website MyHeritage suffers data breach, and more.
- March 27, 2018
The IETF approves the TLS 1.3 encryption protocol upgrade after four years and 28 versions; improvements include better security and performance, as well as middlebox support.
- March 21, 2018
A Firefox bug exposing the browser's master password to a simple brute force attack against inadequate SHA-1 hashing is still on the books after nearly nine years.
- February 27, 2018
Qihoo 360's Netlab team discovered an online ad network has been bypassing ad blockers and running cryptomining software in the browsers of unsuspecting visitors.
- February 21, 2018
Google's Project Zero publicly published an Edge browser vulnerability after the 90-day disclosure deadline expired, and Microsoft has yet to patch the flaw.
- February 07, 2018
A Grammarly vulnerability in its browser extension authentication could have exposed users' sensitive documents if the popular spelling and grammar checker were left unpatched.
- December 29, 2017
News roundup: Login managers enable the exposure of user credentials in over 1,000 websites. Plus, Mozilla patched a critical vulnerability in Thunderbird, and more.
- December 19, 2017
Google Project Zero's Tavis Ormandy discovered a flaw in the Keeper password manager browser extension that could allow attackers to steal credentials.
- November 03, 2017
News roundup: Comodo and Symantec sales signal important changes in the certificate authority business. Plus, an Oracle vulnerability gets a CVSS score of 10.0, and more.
- August 18, 2017
News roundup: Hackers leveraged eight hijacked Chrome extensions to attack 4.8 million browser users. Plus, Cloudflare stopped protecting a neo-Nazi website from DDoS attacks, and more.
- August 03, 2017
DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates.
- July 20, 2017
As the Symantec certificate authority scrambles to transition its certificate-issuance operations to a subordinate certificate authority, the CA industry sharpens its knives.
- July 19, 2017
Symantec has agreed to a plan that would transfer its certificate issuance and validation operations to as-yet-unnamed third-party partner starting Dec. 1.
- July 13, 2017
As Google and Mozilla prepare plans to reduce trust for Symantec's certificate authority, the antivirus vendor is reported to be seeking a buyer for its web certificate business.
- July 10, 2017
Google to distrust all WoSign CA certificates in Chrome starting in September, as the troubled certificate authority passed a key audit and is seeking a new CEO to help return trust.
- June 14, 2017
The battle over Symantec CA operations continues as the antivirus vendor pushes back against a consensus remediation proposal from the web browser community.
- May 05, 2017
The TLS client authentication protocol has been part of the security standard for years, but it's just now coming into its own in certifying secure IoT connections.
- May 02, 2017
Mozilla reviews the counterproposal from Symantec and urges the CA giant to opt for Google's recommendation to outsource its certificate activities.
- April 25, 2017
Google and Mozilla weigh the proper response to Symantec certificate authority issues, as the CA giant prepares an alternative proposal for reinstating trust.
- April 12, 2017
Compliance with CA/B Forum Baseline Requirements was debated after Symantec CA posted responses to 14 issues raised by Mozilla developers.
- March 31, 2017
News roundup: HTTPS traffic has yet to surge, despite its security benefits, according to a report. Plus, the latest in the Apple extortion; a Mirai attack lasted 54 hours; and more.
- March 29, 2017
A researcher claims to have found Symantec SSL API issues with extremely dangerous consequences, but a lack of evidence causes confusion.
- March 24, 2017
Symantec certificate authority cries foul, as Google considers severe options following the company allegedly misissuing as many as 30,000 digital certificates.
- March 23, 2017
Research shows DV certificates can be a prime target for phishing and malware operators, but experts are unsure how certificate authorities should deal with the issue.
- March 06, 2017
The Department of Justice dropped a child pornography case in order to avoid disclosing a Tor vulnerability; dozens more cases potentially affected.
- February 28, 2017
Google Project Zero's 90-day disclosure policy bites Microsoft again, as a zero-day Edge and IE vulnerability is made public before a patch is available.
- January 25, 2017
A critical Cisco WebEx vulnerability in the service's browser extensions was discovered and patched, though some disagree the patch goes far enough to protect against attack.
- December 16, 2016
Microsoft followed Google's lead in promising to block Flash Player content by default in some situations and experts say the moves should expedite the death of Flash.
- December 16, 2016
News roundup: A report finds nearly half the internet is filled with vulnerable websites. Plus, SWIFT confirms more hacks, Amit Yoran steps down from RSA and more.
- December 14, 2016
A new Certificate Transparency Monitoring tool from Facebook may help webmasters track and vet TLS certificates, as well as improve integrity and security for HTTPS traffic.
- December 07, 2016
A malvertising campaign could put millions at risk of attack as the Stegano exploit kit is being delivered by this new method and is targeting unpatched systems.
- November 21, 2016
As the internet prepares for deprecation of the obsolete secure hashing algorithm, Google and other browser companies prepare to drop support for SHA-1 certificates.
- October 31, 2016
Certificate transparency compliance will be mandatory for publicly trusted website certificates in order to be considered secure by Google's Chrome browser.
- October 28, 2016
Mozilla boots WoSign as a trusted certificate authority for backdating SHA-1 certs and other controversial behavior, and it prepares to add default support for TLS 1.3 in 2017.
- October 21, 2016
Roundup: Firefox browser will reject SHA-1 certificates as soon as Mozilla announces further details relating to the deprecation of the outdated algorithm; plus, Oracle patches and more.
- October 14, 2016
Attempting to tidy its root certificates, a mis-issued GlobalSign certificate revocation list left website owners scrambling to address cert errors, restore safe browsing icons.
- September 09, 2016
Google's campaign to encrypt the web continues, as Chrome browser security will flag any sites using HTTP for passwords or payment info as insecure, starting in 2017.
- August 09, 2016
Microsoft's August 2016 Patch Tuesday focuses on critical browser vulnerabilities in Edge and Internet Explorer, as well as flaws with Microsoft Office and PDF Library.
- May 13, 2016
A court filing is asking the FBI for responsible disclosure of the Tor vulnerability used to exploit the Tor browser and de-anonymize users during a criminal investigation.
- January 28, 2016
Oracle announced plans to deprecate the Java browser plug-in, a noted attack vector, though the choice was not entirely its own.
- January 08, 2016
Internet Explorer end of life is on the way for three versions of Microsoft's Web browser, and enterprises need to understand which versions of Windows will still be supported.
- January 07, 2016
Researchers have found a new way to exploit an MD5 vulnerability to put users at risk, and experts say this is all the more reason to move faster in transitioning to SHA-256.
- December 14, 2015
Symantec announced it will retire one of its root certificates because it was based on older security, and Google made sure users knew the risks.
- October 19, 2015
Adobe has released an emergency patch for Flash zero-day vulnerabilities that have been exploited in the wild in attacks on foreign affairs ministries.
- September 22, 2015
Symantec testers created unauthorized Extended Validation certificates, but the bad certificates were caught by the Certificate Transparency log.
- September 18, 2015
News roundup: Additional research shows a Cisco router implant affects more devices than originally reported. Plus: Let's Encrypt's first cert issued; Tor in the library; the mitigated (but not fixed) iOS AirDrop vulnerability.
- July 31, 2015
News roundup: New threats add to the Tor anonymity debate, as a new browser aims to take anonymous browsing to the next level. Plus: Android security outlook is bad -- or is it? Also, another Xen host escape flaw and Wassenaar revisions put on hold.
- July 02, 2015
Video: Robert 'RSnake' Hansen of WhiteHat Security discusses Web browser security, third-party software vulnerabilities and the sad state of browser security throughout the industry.
- June 09, 2015
Microsoft's June 2015 Patch Tuesday features eight bulletins, including a critical update for Internet Explorer and Windows Media Player. Plus: Adobe releases fix for 13 Flash vulnerabilities.
- June 05, 2015
News roundup: New settings and options to boost user privacy and security are emerging on major websites, but is it enough?
- May 22, 2015
News roundup: New research highlights the changing nature of DDoS attack frequency and methodology. Plus: New malware strains double in second half of 2014; two new address bar spoofing vulnerabilities.
- May 20, 2015
Google's new Chrome extension policy mandates that all users and developers must install web browser extensions from the Chrome Web Store.
- May 15, 2015
News roundup: Microsoft released security details of its new Edge browser, but is enough to restore user confidence? Plus: Millennial security threats; new ransomware, GPU-based malware; black hat cybersecurity services.
- May 07, 2015
Robert 'Rsnake' Hansen of WhiteHat Security discusses the Aviator Web browser, why Google lashed out against it, the challenges of browser security and lessons learned for developing secure software.
- April 24, 2015
Researchers have found thousands of apps that feature insecure coding practices in implementing SSL protocols, which could lead to Android man-in-the-middle attacks.
- April 10, 2015
Security researchers say Webpage Screenshot, a popular third-party extension for Google Chrome, was secretly collecting end-user browsing data. Its true purpose and how Google missed it remain up for debate.
- March 25, 2015
Google, Microsoft, and Mozilla have revoked unauthorized TLS certificates issued by an intermediate certificate authority that could have been used in man-in-the-middle attacks.
- March 05, 2015
The serious HTTPS FREAK exploit was thought to only affect Android, iOS, and MacOS, but Microsoft has confirmed that it also affects all supported versions of Windows.
- February 20, 2015
News roundup: Amid hidden add-ons, discontinued services and walled gardens, vendor trust proves elusive for several high-profile tech firms. Plus: Evidence ties North Korea to Sony Pictures hack; card brands boost cybersecurity; and cookies that ...
- February 20, 2015
Exclusive: VerSprite research on 10 alternative Android browsers has found at least one major security vulnerability in all of them, posing a significant security risk for enterprise Android users.
- February 06, 2015
A new IE vulnerability has led to a proof-of-concept same-origin policy exploit, and some experts say it highlights a technique that may soon become popular among attackers.
- February 02, 2015
Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.
- January 30, 2015
News roundup: YouTube announced it has stopped using Flash by default in favor of HTML5. Is this the long-awaited end for Flash? Plus: Java was the riskiest software in 2014; BEC scam cost $215 last year; NFL data interceptions.
- December 19, 2014
News roundup: As it copes with a devastating, unprecedented cyberattack, Sony Pictures' future as a company could be on the line. Plus: "Operation Cleaver"; labeling HTTP websites "insecure"; and a surge in phishing with malicious links.
- October 31, 2014
News roundup: Verizon gave its mobile users an early Halloween trick: a cookie that cannot be erased, despite a number of privacy concerns. Also: compromising an air-gapped computer over the air; an alleged government-funded hack against a CBS ...
- September 08, 2014
Data from McAfee shows many organizations have yet to fully patch the Heartbleed vulnerability, and as many as 300,000 websites remain at risk.
- August 18, 2014
Silverlight security issues will demand more attention as attackers increasingly target the plug-in, leaving users vulnerable to various exploits.
- June 04, 2014
Despite a torrent of recent Internet Explorer zero-days, experts cautioned that the flaws aren't a true gauge of the browser's security.
- May 21, 2014
Though notified of the IE zero day months ago, Microsoft failed to address the vulnerability before it was made public.
- May 21, 2014
As attackers increasingly target e-commerce websites, vulnerable applications and third-party plug-ins represent an easy avenue of exploitation.
- May 01, 2014
Microsoft's out-of-band patch for the 'use-after-free' IE zero day offered a fix for Windows XP, which is now being actively targeted.
- April 02, 2014
The Safari security update addresses a number of remotely exploitable vulnerabilities and includes a fix for a hack from the Pwn2Own competition.
- March 21, 2014
Researchers have warned of numerous HealthCare.gov security issues. Michael Cobb reviews the website security lessons learned for enterprises.
- March 18, 2014
Researchers at the 2014 Pwn2Own contest bypassed application sandboxing repeatedly, proving even the most secure applications can be vulnerable.
- February 14, 2014
FireEye first reported that the zero-day exploit affecting IE 9 and 10 is part of a watering hole attack utilizing the U.S. VFW's website.
- October 07, 2013
Expert Michael Cobb discusses the ins and outs of the Firefox Health Report, and the implications it has for browser security and enterprise security.
- October 03, 2013
Microsoft's October Patch Tuesday expected to resolve four critical vulnerabilities, with experts hoping a recent high-profile IE zero-day is patched.
- September 18, 2013
Microsoft provides an Internet Explorer fix after confirming a vulnerability affecting all versions of the Web browser is being actively exploited.