Browser Security

Browser technology and security events always make for interesting reading especially due to the fact that we do the majority of our online work these days through browsers, be it general web surfing, accessing enterprise apps or managing systems and devices.

Browser features and security are therefore critical – this shouldn’t even need to be said. But things aren’t always what they seem : )

(Warning: there’s a bumper crop of browser stuff in this week’s blog … get some coffee)

drive-by downloads

Drive-by downloads have long been an issue for malware-infected websites and browsers haven’t always had a capability to provide at least some protection to their users.

A researcher from advertising security firm Confiant, Eliya Stein, has recently blogged on the issue of the susceptibility of current web browsers to drive-by downloading. And the results make for very interesting reading.

Eliya’s attention was drawn to this practice when BoingBoing was delivering malicious downloads to their visitors in this manner. After many complaints BoingBoing disclosed that their site had been hacked. In this case, the malicious code was placed onto their servers so that it was running in the same-origin as the page and had unfettered access to the user’s page. Eliya indicated that they detected this attack on a multitude of other sites too.

Now you may or may not know that CORS (cross-origin resource scripting) is a browser/application option that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

So you’re on site A which then feeds you information or objects from site B. This can be a Very Bad Thing ™ because infected sites could feed you malware from alternate sites even when the original site has nothing specifically “bad” on it.

Courtesy of SN:

Having uncovered the mechanism that the attacker uses to drop the malware, Eliya conducted an audit of recent popular browser versions and how they handle downloads that are not initiated by user interaction. The inspiration for doing this analysis was the surprising discovery that most browsers WILL honor downloads triggered from cross-origin frames. What’s more, these zero-click downloads are still often possible in Sandboxed Cross-Origin iframes

And so we get onto Chrome, which until recently was allowing this practice as a default. It’s only finally been rectified in Chrome 83 although begrudgingly so and some would say it isn’t really a full fix either.

From the following link:

Sandboxed iframe can initiate or instantiate downloads. Chrome is planning on removing this capability – i.e. Chrome is going to block all downloads initiated from or instantiated in a sandboxed iframe by default. The embedder may add “allow-downloads” to the sandbox attributes list to opt in. This allows content providers to restrict malicious or abusive downloads. Removal is expected in Chrome 83. This allows content providers to restrict malicious or abusive downloads.

The whole idea of sandboxing is to protect the external system from threats in the sandbox. Chrome 83, does indeed block downloads initiated from sandboxed cross-origin frames. BUT even it is still willing to drop a file if the iframe’s sandbox parameters are not set. So this is effectively an allow by default design …

Other browsers such as Firefox and Brave (interestingly enough a browser based on Chromium) will prompt the user when a download is initiated. Safari, apparently attempts to honor the download, but seems to get stuck. Android browsers are quick to warn when the download is a file with an APK extension, but anything else often doesn’t receive a prompt.

It’s interesting that Chrome has been the leader in the browser market for some time now, however it’s certainly not a leader in browser security. Or features that improve the security ability of the browser. The opposite seems to be true. Why? More on this in the conclusion.

notification-abusing sites

You’ve probably noticed (and by now become sick of) sites that bring up a popup when you visit them, asking you to allow them to send you notifications. What’s worse is that in some cases, these notifications are provided through the operating system’s notification system which is very intrusive and potentially dangerous.

There are 2 types of abusive alerts:

  • permission requests which attempt to mislead, trick or force users into allowing notifications
  • the content of notifications themselves which are used for phishing, delivering malware , and for faking chat messages, warnings, or system dialogs

Chrome 84 (when released in July) will now start alerting users to the fact that these websites may be trying to trick them by phishing for private information or promoting malware. Google will give at least 30 calendar days prior to the start of enforcement and sites will be notified by email the first time their site fails abusive browser alert checks, so that they have an opportunity to fix the issues.

I like that browser vendors are starting to give control to users over what websites can and can’t do through their browsers.

windows 10 may 2020 update – infamy!

Chrome on MacOS has recently been struggling with some serious graphics rendering issues.

“Some screws were left loose lol not fully built or something about it isn’t able to be read by the  Macbooks? Anyone find out specifics? I would love to learn the official why and fix behind this” – source

“Chiming in on [Chrome] Build 81.0.4044.92 with the same issue. I literally cannot use some Gsuite features as they will trigger the issue.” – source

“Chromium based apps occasionally shatter (render blue noise) on MacOS Catalina…  it does not seem to be WebKit in general, since Safari is not affected by that. Is it a known issue? Closing and reopening Chrome does not help. I need to restart the computer.” – source

Google have suggested the issue may be related to a graphics card driver issue but Apple is claiming it’s not their fault … well see how this cat and mouse game plays out but in the meantime, it’s a big issue for MacOS Chrome users.

But Microsoft had to come to the party and say “hold my beer!”

Google has confirmed that since Microsoft’s massive Windows 10 ‘May 2020’ update Chrome can no longer keep users signed-in, sync data, store cookies, remember passwords or third party extension data – sometimes deleting the extension completely.

Moreover, Google saw this coming two months ago. In a bug report filed back in April, Google engineers confirmed multiple problems with the Windows 10 May 2020 update, then still in beta testing.

Interestingly enough, Microsoft’s own custom version of Chrome, Edge, is unaffected – conspiracy much?

Apparently the issue relates to a new “SegmentHeap” change that Microsoft introduced into the May 2020 update that reduces memory usage in Edge by as much as a quarter. Google is looking to use the same feature in Chrome …

I’ll indicate here as well, that my own Chrome on Linux installation has been exhibiting the same ‘remember passwords’ issue listed above for many months already, not that I use the feature often. It’s painful but luckily my KeePassXC autofill capability comes in handy.

the chrome store

Google has had a lot of issues with malicious apps in the Chrome store (a reason why I don’t use this store at all) and the problem has resurfaced recently with researchers at Awake Security who discovered what is understood to be “the most far-reaching malicious Chrome store campaign to date”.

Awake found more than 70 malicious extensions which had evaded Google’s screening process and were subsequently downloaded 32 million times by Chrome users. The extensions contained spyware and stole users’ browsing history and data that provided credentials for access to internal business tools. Google declined to comment on why it failed to detect these malicious apps or the scale of damage. Google had promised to scrutinize extensions more closely after a previous breach in February saw extensions steal data from 1.7 million users.

As mentioned above Google had, as of earlier this year, promised to clean up the Chrome store (as well as the Android play store), but the issue of malicious apps keeps on cropping up. Is this an issue of Google just not putting enough effort into keeping their app stores clean, or are they losing the battle against the speed at which these apps are being created?

browser-based port scanning

eBay were recently “caught’ or called out on a practice whereby they are doing browser-hosted port scans of site visitors’ systems.

It turns out that a number of large sites are using ThreatMetrix’s anti-fraud script to determine whether site visitors’ systems are infected with malware or other nefarious stuff. I’m guessing that they’ll either notify visitors of the malware or block them outright from proceeding with the site visit.

You might regard this as a legitimate action. Or not. Personally I’d say no to this practice.

microsoft edge

Microsoft decided that instead of continuing with the broken mess that was Internet Explorer and the legacy Edge, they would just take Google’s Chromium code (seeing as it’s open source) and create a new browser called Edge. Smart move.

Technically, Edge is, being based on Chrome although with some Microsoft adjustments, a pretty good browser. And Microsoft should have let it stand on its own, but they decided that it had to be forced onto Windows users. Not cool.

As of a few weeks ago, Microsoft have been installing the new Edge on PCs as part of Windows 10 Updates. But many users aren’t impressed. Users are reporting on various platforms that when their PCs and laptops are restarting after installing a Windows 10 update, they are welcomed by a full-screen splash page (FRE – First Run Experience) that welcomes them to the world of the new Microsoft Edge web browser. There is no way to bypass this. You have to set it up before you can proceed, whether you want to at that time or not.

Microsoft then pins the Edge browser icon in the Windows 10 Taskbar, on its own potentially spoiling a well laid out taskbar for many users, and adds an Edge icon to your desktop. And you can’t uninstall the new Edge browser … it’s now an integral part of the OS.

Microsoft had ended support (and updates) for Windows 7 in the middle of January this year. But the new Edge seems to have been enough motive for Microsoft to dust off the Windows 7 update solution and push one more update through it. So Windows 7 (and 8.1) users have also been receiving the new Edge update.

Considering that Windows 7 still has around 20% of the desktop market, it’s understandable that this is a significant advertising surface for them.

Still, there’s a lot of unhappiness around this …

chrome address bar – omnibox!

There has been a lot of grumbling (especially from my side) regarding the recent changes Google has made to the Chrome address bar (also called the omnibox). By default, Chrome has removed the http/https moniker at the start of a URL, as well as the www and mobile or m prefixes.

There are many reasons this is a stupid move but Google which initially backtracked on these changes, is adamant that they are here to stay.

“The Chrome team values the simplicity, usability, and security of UI surfaces. To make URLs easier to read and understand, and to remove distractions from the registrable domain, we will hide URL components that are irrelevant to most Chrome users. We plan to hide “https” scheme and special-case subdomain “www” in Chrome omnibox on desktop and Android in M76.”

Some problems with the changes:

  • www.domain.com, m.domain.com and domain.com are all separate dns records (be it A or CNAME types). It’s often important to discriminate between the variants
  • as an IT engineer (and for many other technical types), it’s critical to know if you are on an SSL-encrypted site or not
  • copying and pasting URLs is now problematic

To show the true/actual URL, you now have to click in the omnibox twice to reveal either the protocol (http or https) and/or whether there is a www or not.

There used to be a flag (chrome://flags/#omnibox-ui-hide-steady-state-url-scheme-and-subdomains) that you could clear to disable this “feature”. Unfortunately it appears to have been removed in the current version of Chrome and Chromium. Somebody must really want us to remain ignorant.

Mozilla will be doing something more intuitive in upcoming versions of Firefox. https will be removed from the address bar, however if a site is http, then that will displayed. Smart.

Hopefully Google wakes up and learns something from this.


Of course, other browsers also have their issues but Chrome, being the market leader, is going to have the lion’s share of scrutiny and probably the lion’s share of issues.

It’s also clear that Mozilla’s Firefox has been making far more effort in terms of privacy and security controls than Google. And for obvious reasons: Mozilla does not have to play a balancing game with it’s browser like Google has to with Chrome – Google certainly is hesitant to cripple their advertising cash cow by locking down their browser too much. Every security and privacy control that Chrome provides is a potential block on advertising revenue (eg. the recent changes in Chrome that effectively stopped ad-blockers from working) so they are trying to strike a balance, one that seems to be leaning towards advertising for the moment.

And so, what to do? I think it’s time for the Chrome faithful to look at alternatives.