Feeds

back to article Big browser builders scramble to fix cross-platform zero-day flaw

Browser manufacturers will release an update in the next few weeks to block a new type of malware that exploits a cross-platform flaw that allows attackers access to Mac, PC, mobile, and even games console internet users. "PC, Android, Mac – the vulnerability hits them all the same," said Sveta Miladinov, founder of the British- …

COMMENTS

This topic is closed for new posts.
Silver badge
Meh

Here we go again

Here we go again, lets not tell anyone what it is until we fix it, in a few months time.

Yahoo, yippie Kai Yay!

3
1
Bronze badge

Re: Here we go again

Why? Did you want to create and sell an exploit?

1
3
Anonymous Coward

Re: Here we go again

AMEN! I'd like to know what this exploit looks like - is it the ability to fake a page's URL, making www.honestsite.evilsite.com look like www.honestsite.com, is it the ability to do cross-site scripting to scrape user credentials, or what? Is it Javascript based, or CSS, or plain HTML? Will not running Javascript (e.g. running NoScript) block it? What mitigating actions (other than unplugging our computers and sobbing in the corner) can we take?

ANNNNNN-D! Why doesn't No Such Agency just dispatch a GlobalHawk and patch with extreme prejudice the people who exploit it?

4
1
Bronze badge
Devil

How about the REST of the "Browsers"?

That's quite an interesting graph, one that should concern a regular poster who does not like Microsoft.

It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android.

It seems to me that Microsoft has done quite a bit to make IE10 more safe and robust than their earlier versions as well as improve it against it's competitors products.

Will there ever be even faint praise for MS? Only time will tell.

2
0
Silver badge

Re: How about the REST of the "Browsers"?

"It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android."

Well, I can't see Opera on the graph, so I don't know whether to be concerned or not. I'm going for "not" as browser infections are vanishingly rare unless the user is a moron.

0
0
Bronze badge
Unhappy

Re: How about the REST of the "Browsers"?

No kidding. I love Firefox, but that graph greatly concerns me.

Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.

Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.

0
0

Re: How about the REST of the "Browsers"?

uh, why exactly are you using an "internet security" package? is it like "anti virus", i.e the same kind of cycle burner?

0
0
Silver badge

Re: How about the REST of the "Browsers"?

Why should that graph concern anyone, or show that IE is better as you seem to be trying to imply? The number of blocked threats is irrelevant, the number of unblocked threats is all that matters. The graph is silent there.

Isn't it possible that there are websites that do something like 'if browser = IE then attempt exploit' but maybe don't do it for some other browsers? This is rather like saying Windows AV software is better than the same company's AV software on Mac OS, because the Windows version neutralizes 100x more viruses!

6
2
Anonymous Coward

Re: How about the REST of the "Browsers"?

IE has consistently had fewer vulnerabilities than Chrome, Safari or Firefox ever since IE7....

0
4
Anonymous Coward

@WatAWorld - Re: How about the REST of the "Browsers"?

So KISs them good bye then!

1
0
Anonymous Coward

@AC 08:52 - Re: How about the REST of the "Browsers"?

Too bad it costs me 365CAD to install it on my PC. Pretty expensive, sheesh!

0
0
Silver badge
Facepalm

Re: How about the REST of the "Browsers"?

I have a product that uses OPSWAT, and their problem with AV vendors is... wait a minute. Its the same problem you just mentioned.

Mr Pot, meet Mr Kettle. Oh, you know each other.

0
0
Anonymous Coward

Re: How about the REST of the "Browsers"?

Will there ever be even faint praise for MS? Only time will tell.

There's plenty of "faint praise" for MS ;) ;) ;)

0
0
Anonymous Coward

Re: How about the REST of the "Browsers"?

Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.

Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.

/me thinks I'd be dropping that thing into the bitbucket with the rest of the trash if they can't play nice with everyone else and actually provide me the protection they say they provide.

0
0

your computer is not the target...

You are....

4
0
Pint

Really??

I've had to finally install an Antivirus program for my Mac. Use to be that wasn't necessary, but the popularity of shiny shinies has made virus protection and unfortunate necessity for the platform.

2
1
Pint

Re: Really??

And you buy insurance for your Car, House etc etc. This is just insurance.

0
0
Silver badge
Meh

Re: Really??

Really?

The first antivirus software I ever saw was Symantec Antivirus in the summer of 1989...running on a lab of Macs at a local college.

0
0
Bronze badge
Devil

Re: Really??

I've spent the last few years saying "this year will be the year that there's a big virus attack on Macs", and every year so far I've been wrong. Perhaps there won't be a widely spreading attack, just exactly the same kind of phishing attacks aimed at users of all platforms.

0
0
Bronze badge
Mushroom

Re: Really??

You mean like the recent Java based attacks on hundreds of thousands of Macs?

0
1
Anonymous Coward

Re: Really??

"I've spent the last few years saying "this year will be the year that there's a big virus attack on Macs", and every year so far I've been wrong. Perhaps there won't be a widely spreading attack, just exactly the same kind of phishing attacks aimed at users of all platforms."

More like the Mac/Pc ratio is still far too small for miscreants to bother!

0
0
Anonymous Coward

Re: Really??

"The first antivirus software I ever saw was Symantec Antivirus in the summer of 1989...running on a lab of Macs at a local college"

Anecdote != Evidence

The first computer virus (and subsequently the first anti-virus) was written for the PDP-10 back in 1971.

0
0

so users that refuse to use IE block the exploits

right?

how else can we explain graphs?

1
1
Bronze badge

I explain the graphs as MS making a much more secure browser this month

The graphs are apparently tests of lab computers with vanilla installs of the browsers with any AV internet security add-ons turned off.

So I explain the graphs as MS making a much more secure browser this month than Google, Apple and Mozilla.

The big question for me is whether the graphs are like this month after month.

Did MS merely have a good month?

Did Mozilla merely have a bad month?

IF this is how it typically has been for the past year, I would seriously consider going back to MSIE from my beloved Firefox. (Especially, as I said above, because the Kaspersky KIS I use isn't usually compatible with the latest FF release until its been out 6 weeks.)

0
0
Bronze badge

Re: I explain the graphs as MS making a much more secure browser this month

Those kind of results have been pretty consistent for a long time now. IE may once have deservedly had a reputation for poor security, but Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days.

1
2

Re: I explain the graphs as MS making a much more secure browser this month

"primarily intended for use in phishing attacks rather than giving access to full systems"

OK maybe i should wait until details are out, but "phishing" sounds like a bain attack, not a system attack.

A browser can't really defend against that *unless* it phones home all the time in order to block what its home base considers insecure.

Not exactly what i want my browser to do.

(I use varous versions of FF at home, as far back as 3.0.x {ofc always with NS and AB}, use IE at work, but chrome? uuuuhhh)

1
0
Silver badge

Re: I explain the graphs as MS making a much more secure browser this month

Shame that IE-9 is so fragile.

It regularly crashes and asks nicely if it can search the web for a solution. IT sometimes happens just when it is sitting there open on a page that is totally static HTML.

THen there is IE-10. Half the sites I visit don't render properly and some WebMail accounts that I have don't even work with it.

No wonder that IE-6 is still out there in the wild.

As a result, I have relegated IE to use only when I visit MS sites.

Firefox with Adblock-Plus, FlashBlock and NoScript is my main browser. There again I got do visiting Pron sites that I know (from a friends experience) are loaded with malware.

I am beginning to wonder in these graphs should also have % malware by site time included.

That would give another view on the problem.

0
0

Re: I explain the graphs as MS making a much more secure browser this month

I don't understand why you are using all three addons when NoScript does what FlashBlock does (a Flash embed won't load until you give permission in NoScript). Most ads are JS enabled and therefore NoScript blocks those, as well.

So why use all three?

2
0
Bronze badge
Mushroom

Re: I explain the graphs as MS making a much more secure browser this month

Those crashes are almost certainly not an IE9 issue. Remove Flash and Java and I suspect your crashes will all disappear....

0
1
Anonymous Coward

@WatAWorld - Re: I explain the graphs as MS making a much more secure browser this month

Unlike you, instead of dumping FF and go to IE, I preferred to dump the Antivirus and I'm perfectly happy without it. Just keeping Windows and everything else patched, logging in with low privileges and not using IE kept me safe for the past few years. As somebody was mentioning here, an insurance does not protect you against accidents.

1
0
Bronze badge

Re: I explain the graphs as MS making a much more secure browser this month

Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days

"The safest browser" is a meaningless phrase. Browser "safety" is far too vague a term to indicate anything useful in the abstract; information-system security is only meaningful in the context of a threat model. And if "safety" did mean anything useful in this context, it would primarily be a function of the user's actions.

0
1

The best protection is...

...common sense. Costs nothing.

3
1
Holmes

Re: The best protection is...

It may cost nothing but that's only because it's not transferrable. Supplies are dwindling daily it seems, so if supply and demand were able to work its magic it would be worth a fortune.

4
0
Anonymous Coward

Re: The best protection is...

The best protection is...

...common sense. Costs nothing.

Really? They make prophylactics for pr0n sites now? How does one put it on? WHERE does one wear them?

0
0
Boffin

The notion of a vulnerability that works across all these environments (remember: the article quotes the reporter as saying it works on 'PC, Android, Mac'), without touching shared code, suggests that it's not really the browser that's the problem...

I mean, what do PC, Android and Mac have in common in terms of platform? You could argue Webkit, seeing how Chrome on all platforms, plus Safari all use Webkit, but that's not really the point being made if 'potentially' games consoles are vulnerable.

For it to be a cross-environment vulnerability, it must target something common to each environment, and the first thing that comes to mind is the bit after the browser, after the operating system, i.e. DNS. Another DNS poisoning/MITM type attack?

As for the graphs, I'm really not sure what to make of that exactly. I'd argue that most people who intentionally veer off the straight and narrow (IE land) are probably more aware of the kinds of things out there and less likely to click on something that seems phishy.

2
0
Bronze badge
Boffin

notion of a vulnerability that works across all these environments

My money is on a fundamental design flaw in the JavaScript language, Some feature or a combination of features that is implemented the same way in all major JavaScript implementations. This could be hard or impossible to fix without breaking compatibility with some web pages.

But soon we will know.

0
0
Boffin

IDNs and character sets and SSL certificates?

Since it's cross-platform and cross-browser, is it maybe some bad handling of Internationalised Domain Names and character sets and lack of notifications going between one SSL site and another equally-valid SSL site with an almost-same-looking name?

Or even an identical-looking name that doesn't get flagged up (they fixed that obvious one already, right?) because e.g. a plain-looking 'e' appears elsewhere in the character set, e.g. in the 'accented' section. But if it's an SSL-secured site, it's safe, right...?

And even if it's visibly wrong when you hover over the link, can one 'hover' on a fondleslab to see it?

0
0
lvm

Call me paranoid, but it suspiciosly looks like yet another tiny company trying to get some cheap publicity by blowing out of proportions some aspects of misusing a perfectly normal feature. Like, 'if you click on url to infected file it <gasp> dowloads it. And if you click yes a couple of time it OPENS IT AND IFECTS THE WHOLE WORLD!"

3
1

IE10 maybe more secure than Chrome, FF, Safari but is only available on Windows. So if your running a iOS, Android, Mac OS or even Windows versions prior to 7 you can't install it. And i hardly see the millions of users of these other OS throwing out there devices and buying windows 8 just to get IE10

0
0
Bronze badge

Which is a shame, as IE for Mac was actually superb, back in the day.

0
0
Thumb Up

Too true

To this day, it remains the only browser that offered a sane display for <optgroup>s.

0
0
Bronze badge
Mushroom

I can. The future is touch and gesture and Microsoft are well ahead of the competition...

0
1
Joke

A true cross-platform vulnerability that affects all browsers

So how do they plan to fix the users?

3
0
Bronze badge

Re: A true cross-platform vulnerability that affects all browsers

Or webmasters?

Buttons, which do not reveal their destinations, are plain evil.

Mouseover events triggering JS are plain evil.

Mystery meat navigation - silly, but evil nonetheless.

Fortunately we can cross off the dreaded iframes, as those seem to be out of fashion now.

0
0
Bronze badge
WTF?

Let's see... Cross platform zero day vulnerability that impacts various browsers running on a wide variety of hardware...

So another Java fail then?

0
0
This topic is closed for new posts.