back to article Big browser builders scramble to fix cross-platform zero-day flaw

Browser manufacturers will release an update in the next few weeks to block a new type of malware that exploits a cross-platform flaw that allows attackers access to Mac, PC, mobile, and even games console internet users. "PC, Android, Mac – the vulnerability hits them all the same," said Sveta Miladinov, founder of the …

COMMENTS

This topic is closed for new posts.
  1. LarsG
    Meh

    Here we go again

    Here we go again, lets not tell anyone what it is until we fix it, in a few months time.

    Yahoo, yippie Kai Yay!

    1. WatAWorld

      Re: Here we go again

      Why? Did you want to create and sell an exploit?

    2. Anonymous Coward
      Anonymous Coward

      Re: Here we go again

      AMEN! I'd like to know what this exploit looks like - is it the ability to fake a page's URL, making www.honestsite.evilsite.com look like www.honestsite.com, is it the ability to do cross-site scripting to scrape user credentials, or what? Is it Javascript based, or CSS, or plain HTML? Will not running Javascript (e.g. running NoScript) block it? What mitigating actions (other than unplugging our computers and sobbing in the corner) can we take?

      ANNNNNN-D! Why doesn't No Such Agency just dispatch a GlobalHawk and patch with extreme prejudice the people who exploit it?

  2. Dan Paul
    Devil

    How about the REST of the "Browsers"?

    That's quite an interesting graph, one that should concern a regular poster who does not like Microsoft.

    It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android.

    It seems to me that Microsoft has done quite a bit to make IE10 more safe and robust than their earlier versions as well as improve it against it's competitors products.

    Will there ever be even faint praise for MS? Only time will tell.

    1. Anonymous Coward
      Anonymous Coward

      Re: How about the REST of the "Browsers"?

      "It should also concern those who favor Opera in the EU browser wars and those who dislike Google/Android."

      Well, I can't see Opera on the graph, so I don't know whether to be concerned or not. I'm going for "not" as browser infections are vanishingly rare unless the user is a moron.

    2. WatAWorld
      Unhappy

      Re: How about the REST of the "Browsers"?

      No kidding. I love Firefox, but that graph greatly concerns me.

      Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.

      Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.

      1. F Seiler

        Re: How about the REST of the "Browsers"?

        uh, why exactly are you using an "internet security" package? is it like "anti virus", i.e the same kind of cycle burner?

      2. Anonymous Coward
        Anonymous Coward

        @WatAWorld - Re: How about the REST of the "Browsers"?

        So KISs them good bye then!

      3. Anonymous Coward
        Facepalm

        Re: How about the REST of the "Browsers"?

        I have a product that uses OPSWAT, and their problem with AV vendors is... wait a minute. Its the same problem you just mentioned.

        Mr Pot, meet Mr Kettle. Oh, you know each other.

      4. Anonymous Coward
        Anonymous Coward

        Re: How about the REST of the "Browsers"?

        Especially since I use KIS to protect my computer. KASPERSKY INTERNET SECURITY browser protection add-ons don't work with a new Firefox version until typically 6 weeks after that Firefox version is put into production.

        Kaspesky refuses to address the issue by getting involved in Firefox's beta program, getting a preview of what is going into production so they can be compatible on day one.

        /me thinks I'd be dropping that thing into the bitbucket with the rest of the trash if they can't play nice with everyone else and actually provide me the protection they say they provide.

    3. Anonymous Coward
      Anonymous Coward

      Re: How about the REST of the "Browsers"?

      Why should that graph concern anyone, or show that IE is better as you seem to be trying to imply? The number of blocked threats is irrelevant, the number of unblocked threats is all that matters. The graph is silent there.

      Isn't it possible that there are websites that do something like 'if browser = IE then attempt exploit' but maybe don't do it for some other browsers? This is rather like saying Windows AV software is better than the same company's AV software on Mac OS, because the Windows version neutralizes 100x more viruses!

    4. Anonymous Coward
      Anonymous Coward

      Re: How about the REST of the "Browsers"?

      IE has consistently had fewer vulnerabilities than Chrome, Safari or Firefox ever since IE7....

      1. Anonymous Coward
        Anonymous Coward

        @AC 08:52 - Re: How about the REST of the "Browsers"?

        Too bad it costs me 365CAD to install it on my PC. Pretty expensive, sheesh!

    5. Anonymous Coward
      Anonymous Coward

      Re: How about the REST of the "Browsers"?

      Will there ever be even faint praise for MS? Only time will tell.

      There's plenty of "faint praise" for MS ;) ;) ;)

  3. ChrisM

    your computer is not the target...

    You are....

  4. Gil Grissum
    Pint

    Really??

    I've had to finally install an Antivirus program for my Mac. Use to be that wasn't necessary, but the popularity of shiny shinies has made virus protection and unfortunate necessity for the platform.

    1. Deadly_NZ
      Pint

      Re: Really??

      And you buy insurance for your Car, House etc etc. This is just insurance.

    2. Steve Knox
      Meh

      Re: Really??

      Really?

      The first antivirus software I ever saw was Symantec Antivirus in the summer of 1989...running on a lab of Macs at a local college.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really??

        "The first antivirus software I ever saw was Symantec Antivirus in the summer of 1989...running on a lab of Macs at a local college"

        Anecdote != Evidence

        The first computer virus (and subsequently the first anti-virus) was written for the PDP-10 back in 1971.

    3. phuzz Silver badge
      Devil

      Re: Really??

      I've spent the last few years saying "this year will be the year that there's a big virus attack on Macs", and every year so far I've been wrong. Perhaps there won't be a widely spreading attack, just exactly the same kind of phishing attacks aimed at users of all platforms.

      1. TheVogon
        Mushroom

        Re: Really??

        You mean like the recent Java based attacks on hundreds of thousands of Macs?

      2. Anonymous Coward
        Anonymous Coward

        Re: Really??

        "I've spent the last few years saying "this year will be the year that there's a big virus attack on Macs", and every year so far I've been wrong. Perhaps there won't be a widely spreading attack, just exactly the same kind of phishing attacks aimed at users of all platforms."

        More like the Mac/Pc ratio is still far too small for miscreants to bother!

  5. joed

    so users that refuse to use IE block the exploits

    right?

    how else can we explain graphs?

    1. WatAWorld

      I explain the graphs as MS making a much more secure browser this month

      The graphs are apparently tests of lab computers with vanilla installs of the browsers with any AV internet security add-ons turned off.

      So I explain the graphs as MS making a much more secure browser this month than Google, Apple and Mozilla.

      The big question for me is whether the graphs are like this month after month.

      Did MS merely have a good month?

      Did Mozilla merely have a bad month?

      IF this is how it typically has been for the past year, I would seriously consider going back to MSIE from my beloved Firefox. (Especially, as I said above, because the Kaspersky KIS I use isn't usually compatible with the latest FF release until its been out 6 weeks.)

      1. El Andy

        Re: I explain the graphs as MS making a much more secure browser this month

        Those kind of results have been pretty consistent for a long time now. IE may once have deservedly had a reputation for poor security, but Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days.

        1. F Seiler

          Re: I explain the graphs as MS making a much more secure browser this month

          "primarily intended for use in phishing attacks rather than giving access to full systems"

          OK maybe i should wait until details are out, but "phishing" sounds like a bain attack, not a system attack.

          A browser can't really defend against that *unless* it phones home all the time in order to block what its home base considers insecure.

          Not exactly what i want my browser to do.

          (I use varous versions of FF at home, as far back as 3.0.x {ofc always with NS and AB}, use IE at work, but chrome? uuuuhhh)

        2. Michael Wojcik Silver badge

          Re: I explain the graphs as MS making a much more secure browser this month

          Microsoft have done impressive work in massively improving things and it really is the safest browser by a long way these days

          "The safest browser" is a meaningless phrase. Browser "safety" is far too vague a term to indicate anything useful in the abstract; information-system security is only meaningful in the context of a threat model. And if "safety" did mean anything useful in this context, it would primarily be a function of the user's actions.

      2. Steve Davies 3 Silver badge

        Re: I explain the graphs as MS making a much more secure browser this month

        Shame that IE-9 is so fragile.

        It regularly crashes and asks nicely if it can search the web for a solution. IT sometimes happens just when it is sitting there open on a page that is totally static HTML.

        THen there is IE-10. Half the sites I visit don't render properly and some WebMail accounts that I have don't even work with it.

        No wonder that IE-6 is still out there in the wild.

        As a result, I have relegated IE to use only when I visit MS sites.

        Firefox with Adblock-Plus, FlashBlock and NoScript is my main browser. There again I got do visiting Pron sites that I know (from a friends experience) are loaded with malware.

        I am beginning to wonder in these graphs should also have % malware by site time included.

        That would give another view on the problem.

        1. Snake Silver badge

          Re: I explain the graphs as MS making a much more secure browser this month

          I don't understand why you are using all three addons when NoScript does what FlashBlock does (a Flash embed won't load until you give permission in NoScript). Most ads are JS enabled and therefore NoScript blocks those, as well.

          So why use all three?

        2. TheVogon
          Mushroom

          Re: I explain the graphs as MS making a much more secure browser this month

          Those crashes are almost certainly not an IE9 issue. Remove Flash and Java and I suspect your crashes will all disappear....

      3. Anonymous Coward
        Anonymous Coward

        @WatAWorld - Re: I explain the graphs as MS making a much more secure browser this month

        Unlike you, instead of dumping FF and go to IE, I preferred to dump the Antivirus and I'm perfectly happy without it. Just keeping Windows and everything else patched, logging in with low privileges and not using IE kept me safe for the past few years. As somebody was mentioning here, an insurance does not protect you against accidents.

  6. Joey

    The best protection is...

    ...common sense. Costs nothing.

    1. Sebastian A
      Holmes

      Re: The best protection is...

      It may cost nothing but that's only because it's not transferrable. Supplies are dwindling daily it seems, so if supply and demand were able to work its magic it would be worth a fortune.

    2. Anonymous Coward
      Anonymous Coward

      Re: The best protection is...

      The best protection is...

      ...common sense. Costs nothing.

      Really? They make prophylactics for pr0n sites now? How does one put it on? WHERE does one wear them?

  7. Pete Spicer
    Boffin

    The notion of a vulnerability that works across all these environments (remember: the article quotes the reporter as saying it works on 'PC, Android, Mac'), without touching shared code, suggests that it's not really the browser that's the problem...

    I mean, what do PC, Android and Mac have in common in terms of platform? You could argue Webkit, seeing how Chrome on all platforms, plus Safari all use Webkit, but that's not really the point being made if 'potentially' games consoles are vulnerable.

    For it to be a cross-environment vulnerability, it must target something common to each environment, and the first thing that comes to mind is the bit after the browser, after the operating system, i.e. DNS. Another DNS poisoning/MITM type attack?

    As for the graphs, I'm really not sure what to make of that exactly. I'd argue that most people who intentionally veer off the straight and narrow (IE land) are probably more aware of the kinds of things out there and less likely to click on something that seems phishy.

    1. MacroRodent
      Boffin

      notion of a vulnerability that works across all these environments

      My money is on a fundamental design flaw in the JavaScript language, Some feature or a combination of features that is implemented the same way in all major JavaScript implementations. This could be hard or impossible to fix without breaking compatibility with some web pages.

      But soon we will know.

    2. Doctor_Wibble
      Boffin

      IDNs and character sets and SSL certificates?

      Since it's cross-platform and cross-browser, is it maybe some bad handling of Internationalised Domain Names and character sets and lack of notifications going between one SSL site and another equally-valid SSL site with an almost-same-looking name?

      Or even an identical-looking name that doesn't get flagged up (they fixed that obvious one already, right?) because e.g. a plain-looking 'e' appears elsewhere in the character set, e.g. in the 'accented' section. But if it's an SSL-secured site, it's safe, right...?

      And even if it's visibly wrong when you hover over the link, can one 'hover' on a fondleslab to see it?

  8. lvm

    Call me paranoid, but it suspiciosly looks like yet another tiny company trying to get some cheap publicity by blowing out of proportions some aspects of misusing a perfectly normal feature. Like, 'if you click on url to infected file it <gasp> dowloads it. And if you click yes a couple of time it OPENS IT AND IFECTS THE WHOLE WORLD!"

  9. mark l 2 Silver badge

    IE10 maybe more secure than Chrome, FF, Safari but is only available on Windows. So if your running a iOS, Android, Mac OS or even Windows versions prior to 7 you can't install it. And i hardly see the millions of users of these other OS throwing out there devices and buying windows 8 just to get IE10

    1. Squander Two

      Which is a shame, as IE for Mac was actually superb, back in the day.

      1. Bucky 2
        Thumb Up

        Too true

        To this day, it remains the only browser that offered a sane display for <optgroup>s.

    2. TheVogon
      Mushroom

      I can. The future is touch and gesture and Microsoft are well ahead of the competition...

  10. Quinch
    Joke

    A true cross-platform vulnerability that affects all browsers

    So how do they plan to fix the users?

    1. Solmyr ibn Wali Barad

      Re: A true cross-platform vulnerability that affects all browsers

      Or webmasters?

      Buttons, which do not reveal their destinations, are plain evil.

      Mouseover events triggering JS are plain evil.

      Mystery meat navigation - silly, but evil nonetheless.

      Fortunately we can cross off the dreaded iframes, as those seem to be out of fashion now.

  11. chris lively
    WTF?

    Let's see... Cross platform zero day vulnerability that impacts various browsers running on a wide variety of hardware...

    So another Java fail then?

This topic is closed for new posts.

Other stories you might like