Browser Vulnerabilities

The Chrome browser and its derivatives Opera and Edge were recently (January 2023) found to be vulnerable to Symstealer an attack that can be used to steal files from the host computer. The attack relies on visiting a compromised website and downloading files that can be subsequently shared by the attacker.

There may not have been any actual exploitation of this vulnerability but the use case has been proven and Chrome v108 has been patched to close off this attack. A proposed dangerous implementation would have been to host a fake cryptocurrency wallet site. The visitor is tricked into recovering their wallet keys and information required to access the wallet is stolen by the hacker.

The CVE website lists thousands of known exploits for many computer applications including Chrome (2,595 at the time of writing) and Firefox (2,129). Recorded incidents date from over a decade in the past to within the last 24 hours. Many of the listed vulnerabilities are not considered a significant risk or have long since been secured.

The typical browser vulnerability would be some error or omission that allows a hacker to write code on a website that will take advantage of that oversight to do harm. If browser use were to be restricted to known trusted sites that could not possibly have been hacked then any risk is minimal. Unfortunately outside of a closed Intranet this is unlikely to be the case. Even a careful browser user might be exposed through automated advert engines pushing compromised content onto previously ‘safe’ websites.

These issues will be kept under control by always running the most recent version of a browser and if possible setting it to auto-update. Unfortunately as browsers become more complex so do their system requirements and some older or simpler operating systems cannot be upgraded to a state where they can run the most up to date browser solutions. This might be the case in an aging device that can only run older or cut down/light operating systems. In such cases the user should accept that their device might be compromised and restrict its on-line use to relatively harmless sites and be very wary of inputting any personal or financial information.

Another avenue of attack is through browser plug-ins or add-ons. These provide additional functionality within the browser but very few are coded in house by the browser developers. The Mozilla protection engine might be restricted to the warning text:

‘This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing’.

Even where a plug-in appears functional and worthwhile it may in time drop behind the development of the hosted browser exposing a security loophole.

Consider the Adobe Flash plug-in. Once an almost essential tool for playing animations and interacting with pages. It could be manipulated as a threat vector but probably fell out of favour as more open web technologies became available to do similar tasks rather than as a security concern. Previously web page coders found the usefulness of Flash outweighed the security concerns. In a similar way as web technology continues to evolve some plug-in functions may become unnecessary.

Where plug-ins have been used the installer should regularly check for updated versions. If the plug-in has not been updated for some time or is not being regularly used it should be deleted (not just disabled) and if necessary an alternative found.

An added risk is that a plug-in may be expressly crafted to deceive as opposed to being a case of well-meaning but insufficiently robust code. This category of plug-in is unlikely to be hosted on official browser stores for long, if at all. Distribution instead relies on look-alike sites and SPAM marketing to encourage users to download and install. The prospective user should check up on a plug-in through user reviews and search engine results. These could also be faked but when scammers are around there are often warning signs if key words from their campaigns are searched for.

More from Security

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

25/03/2024

Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories