Browser Vulnerabilities

The Chrome browser and its derivatives Opera and Edge were recently (January 2023) found to be vulnerable to Symstealer an attack that can be used to steal files from the host computer. The attack relies on visiting a compromised website and downloading files that can be subsequently shared by the attacker.

There may not have been any actual exploitation of this vulnerability but the use case has been proven and Chrome v108 has been patched to close off this attack. A proposed dangerous implementation would have been to host a fake cryptocurrency wallet site. The visitor is tricked into recovering their wallet keys and information required to access the wallet is stolen by the hacker.

The CVE website lists thousands of known exploits for many computer applications including Chrome (2,595 at the time of writing) and Firefox (2,129). Recorded incidents date from over a decade in the past to within the last 24 hours. Many of the listed vulnerabilities are not considered a significant risk or have long since been secured.

The typical browser vulnerability would be some error or omission that allows a hacker to write code on a website that will take advantage of that oversight to do harm. If browser use were to be restricted to known trusted sites that could not possibly have been hacked then any risk is minimal. Unfortunately outside of a closed Intranet this is unlikely to be the case. Even a careful browser user might be exposed through automated advert engines pushing compromised content onto previously ‘safe’ websites.

These issues will be kept under control by always running the most recent version of a browser and if possible setting it to auto-update. Unfortunately as browsers become more complex so do their system requirements and some older or simpler operating systems cannot be upgraded to a state where they can run the most up to date browser solutions. This might be the case in an aging device that can only run older or cut down/light operating systems. In such cases the user should accept that their device might be compromised and restrict its on-line use to relatively harmless sites and be very wary of inputting any personal or financial information.

Another avenue of attack is through browser plug-ins or add-ons. These provide additional functionality within the browser but very few are coded in house by the browser developers. The Mozilla protection engine might be restricted to the warning text:

‘This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing’.

Even where a plug-in appears functional and worthwhile it may in time drop behind the development of the hosted browser exposing a security loophole.

Consider the Adobe Flash plug-in. Once an almost essential tool for playing animations and interacting with pages. It could be manipulated as a threat vector but probably fell out of favour as more open web technologies became available to do similar tasks rather than as a security concern. Previously web page coders found the usefulness of Flash outweighed the security concerns. In a similar way as web technology continues to evolve some plug-in functions may become unnecessary.

Where plug-ins have been used the installer should regularly check for updated versions. If the plug-in has not been updated for some time or is not being regularly used it should be deleted (not just disabled) and if necessary an alternative found.

An added risk is that a plug-in may be expressly crafted to deceive as opposed to being a case of well-meaning but insufficiently robust code. This category of plug-in is unlikely to be hosted on official browser stores for long, if at all. Distribution instead relies on look-alike sites and SPAM marketing to encourage users to download and install. The prospective user should check up on a plug-in through user reviews and search engine results. These could also be faked but when scammers are around there are often warning signs if key words from their campaigns are searched for.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories