Sandcat - Penetration Testing Oriented Browser for Pen-Testers

Sandcat Browser brings unique features that are useful for pen-testers and web developers

Sandcat is targeted at penetration testers - people who test websites for security holes - but could also be useful for developers, or anyone else who would like a little more low-level control over their browsing .. This is a capable security testing and developer-oriented browser.

Sandcat Browser is a freeware portable pen-test oriented multi-tabbed web-browser with extensions support developed by the Syhunt team. It is built on top of Chromium, the same engine that powers the Google Chrome browser and uses the LUA language to provide extensions and scripting support.

It has many useful security and developer oriented tools updated to version 4.0 with the fastest scripting language packed with features for pen-testers such as: 

• Live HTTP Headers — built-in live headers with a dedicated cache per tab and support for preview extensions
• Sandcat Console — an extensible command line console; Allows you to easily run custom commands and scripts in a loaded page
• Resources tab — allows you to view the page resources, such as JavaScript files and other web files.
• Page Menu extensions — allows you to view details about a page and more.
• Pen-Tester Tools — Sandcat comes with a multitude of pen-test oriented extensions. This includes a Fuzzer, a Script Runner, HTTP & XHR Editors, Request Loader, Request Replay capabilities, Tor support and more.

Features inherited from Chromium include:

• Multi-Process Architecture — each tab is its own process
• Developer Tools — in addition to the Chromium Developer Tools, Sandcat comes with a Source Code Editor and its own JavaScript and Lua consoles.

Enable Do Not Track Feature In Web Browsers

How to enable the “Do Not Track feature” in a web browser, you are using?


You may not be aware about the all the modern web browser you are using, is tracking your every single details which might not be put to a good use, good or bad, not sure, but how would it feel if someone follows your every single click, every web page you are surfing, every single details you are entering somewhere and what it could mean, even I’m not sure.


But there are some features and settings which might put a stop on all these activities, a simple setting, a user have to tweak in order to enable the Do Not Track Feature. Most of the modern web browser supports “Do Not Track” Feature, it’s just you’ve to enable for it to work.


Let’s start with Google Chrome.


Unfortunately, there’s no built-in setting which you can enable Do Not Track feature in Google Chrome, but there are so many Google Chrome Extensions which you can use to add “Do Not Track” feature to it. So, simply use this Google Chrome extension to avoid any kind of web tracking. Just make sure you are using the latest Google Chrome web browser, at-least 17 or later. Add it, enable it, and you are free from spying.


Enable Do Not Track Feature In Mozilla Firefox

We don’t need any Add-on to enable Do Not Track feature in Mozilla Firefox. Just follow this quick tweak in Mozilla Firefox privacy settings and you are done. That’s the beauty of it.

• Click on Firefox button.

• Move over to Options.

• Under the Privacy Tab, check that box beside that says “Tell websites I do not want to be tracked”. Ok, and there you are, a free bird.

Enable Do Not Track Feature In Internet Explorer

To add that feature in Internet Explorer, visit this Do Not Track Test Page, and under the heading that says “To express your preference not to be tracked in IE9”, click on that link. Make sure you are clicking that using Internet Explorer 9.

Google Chrome to offer easy-way to construct stronger passwords

Google Password Generator in the Works

Google is in the process of developing a tool to help users generate strong passwords for the various and sundry Web sites for which they need to register and authenticate. The password-generator is meant to serve as an interim solution for users while Google and other companies continue to work on widespread deployment of the OpenID standard.

The tool that Google engineers are working on is a fairly simple one. For people who are using the Chrome browser, whenever a site presents them with a field that requires a password, Chrome will display a small key icon, letting the users know that they could allow Chrome to generate a password for them.

"Detecting when we are on a page that is meant for account sign up will be most of the technical challenge. This will likely be accomplished via heuristics (i.e. there is an account name field and two password fields). If we determine that this is a signup page, then we will add a small UI element to the password field. If the user clicks on this element, we will pop up a small dialogue box next to field asking the user if they would like Chrome to manage this password for them," the project page on Chromium Projects says.

"If they accept the prompt then we pop up a small box which is prepopulated with what we think is an acceptable random password. The reason we don't just choose a password for them is that many sites have requirements (e.g. must have one digit, must be alphanumeric, must be between 6 and 20 characters) some of which may be contradictory between sites.

So we will choose a default generator that will work on most sites, but users may need to change our password if it doesn't work. We can skip this for sites that have 'pattern' set on the password field. Long term we can hopefully also gather some aggregate information from UMA users about the form of passwords they generated so that this whole process can be skipped for the vast majority of sites."

Password management has become a major pitfall for many users in recent years as the number of sites that require authentication has exploded. As users have been required to register with more and more sites and services, including mobile apps and games, many of them have naturally tended to re-use passwords and use weak or easily guessable ones.

This has been a boon for data thieves who, after stealing a database of usernames and passwords from one retailer or Web site, find that they often can compromise any number of other accounts belonging to those victims simply by re-using the passwords.

A variety of services and products have emerged to help address the problem of password generation and management, including applications that will generate random passwords or store existing passwords in an encrypted form. But the problem has persisted.

Google's password generator, which is in the development stage, won't be able to protect users in every scenario. It's meant for use in situations where users are signing up for a new service or need to set a new password. In situations where a user is simply signing in to an existing account, it won't be of use. It also may not protect against a majority of phishing sites.

"Any website that has autocomplete turned off will not be able to be protected. Going by current phishing attacks, this means that 40-70% of phishing pages can't be protected against. Once this feature is rolled out we probably want to see if we can get around this problem. Maybe we can get users to re-authenticate to the browser before logging into such sites," the Google documentation says.

Hole in Google Chrome that granted unauthorised access to gmail accounts

Web extensions to become a new attack vector

A penetration tester has exploted a hole in Google Chrome that granted unauthorised access to gmail accounts.

WhiteHat Security researcher Matt Johansen identified the vulnerability in a Chrome OS note-taking application. He disclosed the hole to Google which patched it and gave him US$1000 as part of its Chromium security initiative.

Johansen told Reuters he intercepted data travelling between a Chrome browser extension and the Google cloud. Google has not yet revealed details of the security hole which Johansen plans to release at the Black Hat conference in Las Vegas this year.

Google extensions, written by third party software developers, were a ripe target for attack because they were granted more privileged access rights to Google cloud data than what the browser offered to web sites.

WhiteHat security detailed in a 2007 research paper a series of web application security vulnerabilities that could also be used to attack web browser extensions in Chrome and Mozilla FireFox.

Chrome OS director Caesar Sengupta said there are "significant benefits to security" by storing apps within the browser.

Watch out for "Boy-in-the-Browser" attacks - (BitB)

Boy-in-the-Browser attacks are hard to detect, BUT easier to execute

The Boy in the Browser is a sophisticated trojan, a "dumbed-down" version of MitB. In essence, a BitB is a less mature version of the MitB trojan, hence the name.

With a BitB, the trojan takes control of the victim's traffic and re-routes the information through an attacker's proxy site. It is very difficult to detect since the victim's address bar continues to present the address of the intended destination. For example, you as an infected victim are surfing to a bank's website, but in fact, that traffic is sent to the attacker. Yet, on your browser, you continue to the bank's normal website.

Once all traffic is re-routed via the attacker, the attacker can do whatever it wants with that data. For example:

• It can act as a proxy just logging sensitive information before passing the request on to the original destination.
  
• It can act as an "active" proxy modifying requests (for example, to transfer sum to a different bank account) before passing it on.
  
• Committing fraud schemes. For example, we have seen a scheme which defrauds Google.

This is a growing, resurging, trend amongst hackers, since, in short, it works. Since these trojans are so quick to evolve, anti-viruses do not always detect variants. More people fall prey to these attacks as they are so difficult to detect. Hackers have realized this and are continuing to release more and more variants of BitBs.

A Man in the Browser intercepts user requests and server responses while "sitting" on the victim's browser. In effect, it listens directly on that communication. For example, when the victim is authenticated to the bank and requests a transfer from his checking account to savings account. The trojan may modify that request in order to make a transfer from the checking account to an account in the Ukraine.

In the case of a BitB, the trojan redirects the traffic to a 3rd-party site which is an attacker-controlled server. This means that all traffic does not go immediately to the bank, rather it passes through that extra link. Only at that server, can the attacker modify the transaction request before continuing to pass it along to the original destination.

Let's consider first MitBs – these are a huge deal for enterprises and banks to deal with for the following three reasons:

• Impact user transactions.
  
• Very difficult to detect. - They last a long time.

Similarly to the MitB, BitB is just as dangerous and just as hard to detect. However, this sort of attack requires much less resources for attackers to execute. There are two main required resources:

1. The trojan code.
2. Attacker- controlled server.

As opposed to MitB, the BitB trojan code is much simpler to write. It is a very short piece of code to redirect the traffic. As for the server, they just require a domain. Today's automated tools will set up the server within just a couple of clicks. The BitB setup is a no-brainer. However, the MitB code is much more complicated. Consider your banking application. It has tabs for different operations, different options for transactions and in general, quite a complex application. The MitB code needs to be customized for each of these operations in order to hook into each of the application's feature. The big guns are required to carry out these MitB schemes.

Each of these Trojans have the same impact and scare banks and businesses alike. BitB is much easier for an attacker to pull off. However, they are most useful for a one-shot sting operation. Once uncovered, the attacker-controlled server is shut down and business is as usual. On the other hand, MitB attacks are a continuing process much more difficult to fight out once uncovered. In that case there is no single pain-point to bring down.

Imperva have witnessed BitB as a resurging as a tool of attack. Below are a couple of notable ones that they have seen:

1. Nine Latin American banks were targeted. This is one more supporting evidence that BitB is in fact a lucrative scheme. As hackers gain from this sort of attack, they continue to target numerous banks.

2. Click fraud. This is an interesting scheme since the target is not a banking application, rather it is used in order to commit fraud. In this case, to defraud Google. The victim accessing a regional domain of Google, for example www.google.co.uk would be redirected to the attacker-controlled server. When a user performs a query, the attacker would fetch the results and ads from Google, but serve them on his own page. The result is that when a user clicks on a specific ad, the commission is attributed to the attacker, and not to Google. 36 Google regional domains were targeted in this scheme showing that the attacker's aimed to target victims worldwide.

The Latin banks were a classic case which provided no visual clues as to the traffic take-over. On the other hand, with the click fraud campaign, the visual clues were ridiculously apparent as we show in our advisory on the site.

Imperva's research arm, the ADC, has established the Hacker Intelligence Initiative (HII). Under this initiative, the researchers attempt to understand the threat landscape. Their research methods involved:

1. Tapping into hacker forums
2. Monitoring and recording attacker traffic
3. Analyzing attacker resources

As part of the HII ongoing research, they witnessed these campaigns being carried out. The team started investigating and this lead to further understanding of hacking operations.

Although BitB is presumably the consumer's problem, one cannot expect the user to know that his browser is under an attacker's control. For sake of comparison – even anti-anti virus do not flag most of these Trojans as malware as they are so quickly being modified. It is time then for online services, such as banks and retailers, to recognize this problem and provide solutions. Similar to the car industry where accidents drove the manufacturers to deal with car safety by providing seat belts, anti-brake lock systems, air bags, etc, the online banks need to consider how to deal with infected customers.

Boy-in-the-Browser attacks have the same impact as a Man-in-the-Browser attack and are just as hard to detect, BUT they are easier to execute. Banks need to start paying more attention to these types of attacks and provide the correct response to deal with them.

Open WiFi and Firesheep

Hijack Facebook Using Firesheep

What’s new about Firesheep isn’t the exploit – HTTP session hijacking has been well known for years – it’s that Firesheep is a simple Firefox plug-in that is available to anyone and requires no technical expertise to utilize. In other words it allows anyone with Firefox and Firesheep to be a hacker. No experience required.

What’s the problem with unsecured WiFi?

If you connect to the internet at unsecured WiFi hotspots, like say your favorite coffee shop or book store, then you have always been at risk of the vulnerability exploited by Firesheep. So what exactly is this vulnerability?

This exploit is commonly referred to as HTTP session hijacking or side-jacking and, it’s been known and used by bad guys for a very long time. Up until now it required some modicum of expertise on the part of the hacker to accomplish a side-jacking attack. The attacker had to use a packet sniffer to capture all those packets flying around, decode the packets to find session cookies in the clear and then create spoofed session cookie responses to join your session. For experienced hackers this wasn’t terribly challenging since they usually had software that would automate the process.

Firesheep was developed for the express purpose of exposing the HTTP session hijacking problem to everybody on the internet, ostensibly to force sites like Facebook to quit making it so easy. This Firefox plugin is named for the notorious Blackhat Wall of Sheep where clueless, unsuspecting users’ unprotected private information is intercepted and displayed very publicly. If you are foolish enough to attend the Blackhat conference in Las Vegas without seriously locking down your communications you will end up on the Wall of Sheep where you will be mocked and worse by other participants.

Firesheep automates side-jacking attacks in a very simple way by building it all right in to your Firefox browser. Facebook advised checking their new Account Security Page, which gives you a history of sign-ins by IP address thereby letting you know if there are two IPs currently signed-in from the same access point.

Anti-Firesheep tools like Fireshepherd were released. Written by Gunnar Atli Sigurdsson, an electrical engineering student at the University of Iceland, Fireshepherd periodically jams the local wireless network with a string of junk characters intended to crash Firesheep when the snooping program reads them.

How can websites keep you secure over unsecured WiFi?

The vulnerability that is exploited by side-jacking has been well understood for years, so too has the solution / mitigation. Consequently your bank has been using this more secure mechanism for most of those years.

On Internet banking websites, an HTTP over SSL (HTTPS) connection is established before you send your credentials to the your bank’s web site. But note that after your credentials are validated, the secure HTTPS connection is maintained for the entire session. In other words once you establish that secure encrypted channel with your bank, everything for the entire session is protected. I know what you’re thinking now:

Why doesn’t Facebook, Twitter and Flickr do their sessions like this? Clearly they have the SSL capability because they use it for the logging in part of the session. It turns out that Eric Butler, the developer of Firesheep, was motivated by exactly these questions. Quoting from the announcement on his blog:

This is a widely known problem that has been talked about to death, yet very popular websites continue to fail at protecting their users. The only effective fix for this problem is full end-to-end encryption, known on the web as HTTPS or SSL.

There are several reasons that websites don’t use strictly HTTPS sessions. First, they want their sites to be accessible to the largest possible audience, including users of older mobile devices that may not support HTTPS connections. Second, there is a lot more overhead involved on both ends when everything is encrypted. Those are the main reasons, but I don’t mean to imply that they good reasons. The first reason may have been valid five years ago, but smart phones and other portable devices have come a long way in that time. The second reason may have been valid before broadband internet connections were ubiquitous, but certainly no one in a WiFi hotspot is connecting via a modem at 28K. Besides, it would be easy to keep the legacy mode connection for those few users who actually have old smart phones or dial-up connections. As always, the real reason is financial.

They would have to develop and roll out changes to not only the web servers but to all of those slick little apps that everybody is using. Remember the problems that Microsoft encountered when making Hotmail use fulltime HTTPS that were mentioned earlier.

What can you do to be secure over unsecured WiFi?

So while popular websites like Facebook are trying figure out how they can fix this problem with the smallest amount of effort, what can you and I do if we want to mess around on Facebook while enjoying a latte at our favorite coffee shop? There are several approaches you can take but the goal is to create a secure connection between your web browser and the insecure website. The best way to do this is to connect to a secure Virtual Private Network (VPN) and once that secure connection is established, surf wherever you like since the last hop on the journey to and from your web browser will be secure. This is great if you have access to a VPN like most road warriors use to connect to the office. Problem with that is that most businesses take a dim view of using VPN bandwidth and company resources to play around on Facebook.

You could install a VPN at home, but that is not an exercise for the fainthearted. There are some subscription based VPN services such as Hide My Ass (HMA http://hidemyass.com/ vpn/) that will provide a VPN to anyone for a fee. It’s not terribly expensive (1 month for around $12 US or a year for around $80 US) and is certainly easier than setting up your own VPN and way cheaper than getting fired for misusing the company VPN.

Finally there are browser add-ons that attempt to force HTTPS connections to sites that don’t offer them, like say Facebook, Twitter or Flickr. Unfortunately there are many websites where these just won’t work. Furthermore most of these add-ons are implemented as intrusive toolbars and egregious ad-ware.

Google Sandboxes Flash Player

Chrome's 'dev' build for Windows now blocks Flash attack code from infecting PCs

Google has introduced a sandbox version of Adobe’s Flash Player in order to protect users from Flashbased attacks. According to tech news site Computer World, Google has been working with Adobe to transfer Flash Player to the sandbox that comes with Google’s Chrome web user. Users, especially those with PCs running Windows XP OS, have been facing a number of security threats through holes found in Adobe’s Flash Player. The move is set to help protect them from potential attacks exploiting those vulnerabilities by containing the platform in a sandbox and not on the system.

The Windows version of the Chrome web browser with the sandboxed Flash Player is already available for developers, with the public version in the works as well. Peleus Uhley, Adobe’s platform security strategist, said in a statement: The interfaces to open-source browsers are completely different from, say, Internet Explorer, and we had to restructure Flash Player to put it in a sandbox

Android Data Stealing Vulnerability

Android Browser Flaw Allows Data Theft

A new vulnerability has been discovered in the Android web browser that could allow hackers to steal files stored on the smartphone's SD card.

According to security expert Thomas Cannon, the a flaw automatically allows payload data to be downloaded to the device's SD card. A few tweaks to a JavaScript will allow the files on the SD card to open making the data readable, he said.

Once the JavaScript has stored the contents of the targeted file, it will then post it to the malicious website. He warned that the flaw is present on multiple handsets and multiple Android OS versions. The security expert has posted a video on his website showing the Android browser exploit in action.

“I notified the Android Security Team on 19-Nov-2010 and to their credit they responded within 20 minutes, took it seriously, and started an investigation into the issue. They have since updated me to say they are aiming for a fix to go into a Gingerbread maintenance release after Gingerbread (Android 2.3) becomes available,” he said.

Refer here to read more details.

Internet Explorer 9 to launch to public on 15 September

IE9 will run on Windows XP


Microsoft yesterday updated its bare-bones preview of Microsoft Internet Explorer 9 (IE9) for the last time, saying that the next release would be a beta build.

Although Microsoft hasn't named a release date for IE9's beta, the six-to-eight week stretch between each Platform Preview may provide a clue: If the company sticks to the same gap between the fourth preview and the beta, the latter should show on or after September 15 - confirming previous messages from Microsoft.


In IE9 Platform Preview 4, Microsoft has integrated its new JavaScript engine into the browser, finished its work on hardware acceleration and boosted performance in several areas, including the Acid3 test, said the IE team's leader.

"The IE9 platform is nearly complete," said Dean Hachamovitch, general manager of IE, in a detailed post on the browser's blog Wednesday.


Unlike production versions, the IE9 preview can run alongside other editions, such as IE7 on Vista or IE8 on Windows 7. However, neither the Platform Preview nor the final version of IE9 will run on Windows XP, a sticking point with some users of that nine-year-old operating system.


Refer here for details.

Inside Mozilla's Firefox 4 Security

Content Security Policy (CSP) system will help to mitigate clickjacking

Open source browser vendor Mozilla is readying an ambitious new release of its Firefox Web browser. The third beta of Firefox 4, set to debut sometime this month, is expected to include more stability, features and performance improvements over earlier versions.

Among the areas that Mozilla is focusing on with Firefox 4 are a number of new security features that it says will make the browser even more secure than earlier versions. The new Firefox 4 browser development comes as rival Microsoft pushes its Internet Explorer 9 platform forward and Google continues to accelerate its Chrome browser development.

One of the new security features in Firefox 4 is the Content Security Policy (CSP) effort.

"Content security policy is focused on Cross Site Scripting (XSS) mitigation so it prevents injected scripts from actually running," Brandon Sterne, security program manager at Mozilla, toldInternetNews.com. "The site gets to declare a policy that the Firefox browser will then apply to the page and then any content that hasn't been blessed by the site won't be loaded or executed."

Refer here to read more details.

Social networking is driving hacker attack strategies

Study says that changes in online user's behaviour – driven largely by the rise of social networking – is pushing hackers to develop ever more sophisticated attack strategies

The report, from Blue Coat Systems, which tapped the data pool generated by its WebPulse security service, says that hackers are developing broader attack strategies, including complex blended threats, faster malware lifecycles and search engine manipulation.

According to to Blue Coat, malware is starting to be adapted by hackers in relatively rapid lifecycles – the average lifespan of a typical piece of malware dropped from seven hours in 2007 to just two in 2009, notes the report.

As a result of this faster malware lifecycle, the study says that defences that require patches and downloads are simply unable to keep pace.

Increased reliance on social networking for communication, says Blue Coat, means there is less reliance on web-based email, which dropped in popularity from fifth place in 2008 to ninth place in 2009.

And, the report adds, exploiting user trust drives most common threats. The two most common web-based threats in 2009 – the fake antivirus software and the fake video codec – both exploited user trust on the internet, search engines and social networks.

According to Blue Coat, these were not the 'drive-by' attacks of recent years, nor did they require a vulnerability to exploit other than human behaviour.

Download the report to read the detailed study and findings.

Firefox Tops Vulnerability List

New study places Firefox at the top of vulnerability list for for the first half of 2009

Application security vendor Cenzic today released its security trends report for the first half of 2009 application. In it, Cenzic claims that the Mozilla's Firefox browser led the field of Web browsers in terms of total vulnerabilities.

According to Cenzic, Firefox accounted for 44 percent of all browser vulnerabilities reported in the first half of 2009. In contrast, Apple's Safari had 35 percent of all reported browser vulnerability, Microsoft's Internet Explorer was third at 15 percent and Opera had just six percent share.

The 2009 figures stand in contrast to Cenzic's Q3/Q4 2008 report, where IE accounted for 43 percent of all reported Web browser vulnerabilities and Firefox followed closely at 39 percent.

Refer here to read more details.

Control malicious apps with DEP in IE

DEP helps block malware in Internet Explorer

Internet Explorer 8 includes a security feature that shuts down misbehaving applications before they can harm your system. This capability, known as Data Execution Prevention (DEP), runs by default when IE 8 is installed on XP SP3 and Vista SP1 or later, but it may not always be clear to you why DEP has put the brakes on one of your PC's applications.

DEP is the best reason I know for updating to Internet Explorer 8 and Vista SP1. For many years, Microsoft has included DEP — which is also called No-Execute (NX) — only in parts of Windows. For example, DEP is available in IE 7 but is off by default to avoid conflicts with old, incompatible programs.DEP is now a key part of Vista and Internet Explorer 8. When I try to install older software on newer machines, I must configure Data Execution Prevention to allow the software installer to run with DEP disabled.

To open the Data Execution Prevention dialog in XP, open Control Panel, choose System, and then select the Advanced tab. Click the Settings button in the Performance section and select the Data Execution Prevention tab. In Vista, choose Performance Information and Tools, click Advanced Tools in the left pane, select Adjust the appearance and performance of Windows, and click the Data Execution Prevention tab.

For instance, when I install QuickBooks 2007 on Windows Server 2008, I have to exclude under the DEP tab the QuickBooks updating tool in order to install it on the server. Keep in mind that the only reason I'm doing so is because I trust Intuit, the publisher of QuickBooks. If I didn't change the settings, DEP would prevent me from installing an older version of this software on the newer system.
If I didn't already trust the vendor, I'd look for valid reasons why DEP was blocking the installation before I took the step of changing any DEP settings. In most instances, good, up-to-date software shouldn't need to be excluded from DEP.

Since IE 7, Microsoft has used DEP to help thwart online attacks in the browser itself. What the company didn't do until IE 8, though, was to enable DEP by default. Prior to IE 8, DEP was disabled by default for compatibility reasons, as documented on the IE blog. Many older IE add-ons were built using earlier versions of the Active Template Libraries (ATL). They aren't compatible with DEP, therefore, and crash when IE loads them.

When DEP is enabled and combined with Address Space Layout Randomization (ASLR), IE's ability to protect against Web-based attacks improves considerably. In a nutshell, ASLR is designed to make it harder for automatic attacks to occur. You can read more about ASLR in the MSDN blog.

Specifically, ASLR helps prevent exploits both in IE and in any add-ons that are loaded. Even with the new security protections in IE 7 and 8, the browser is still targeted more often by malware authors than other browsers. This has caused security pundits to state, as Wired's Brian X. Chen does on the Gadget Lab blog, that Apple's new Snow Leopard operating system is "less secure than Windows, but safer."

(If you use Snow Leopard, I encourage you to update your system to OS X version 10.6.1. This includes a patch for the insecure Adobe Flash Player that Snow Leopard shipped with, as documented in an Apple security update.)

There are many protections built into Internet Explorer 8 that may be considered just another annoying browser crash when seen in action.

Google Chrome 3.0 arrives with 3,505 bugfixes - Whoaaa!

Google's Chrome browser grows faster and more stable - Really? :)

Google Tuesday launched Version 3 of its Chrome Web browser, which keeps the pressure on competing tools by boosting JavaScript performance by 25% vs. the latest stable release. Improvements to tabs and video/audio handling round out the major new features in the release of Google Chrome, which can be downloaded here. The update comes about a year after Google Chrome made its debut. "This release comes hot on the heels of 51 developer, 21 beta and 15 stable updates and 3,505 bugfixes in the past year," Google writes on its blog.

Refer here to read the review on NetworkWorld.

Multiple Adobe security holes closed

A regular patching cycle isn’t enough for Adobe, as multiple flaws need closing in some of its popular software products.

Adobe has released an out-of-cycle patch for its Flash Player, AIR, Reader and Acrobat software, closing more than 10 vulnerabilities that potentially left users open to attack.

It closes a recent vulnerability in Flash that was highlighted by Symantec and actively exploited in the wild. It also fixes 11 other flaws, including three that fixed problems in vulnerable Microsoft code (its Active Template Library (ATL)).

All of the fixed vulnerabilities were critical, with most having the potential to allow an attacker to take over a user’s system. Details of how to update the Adobe software can be found in its security bulletin here. Adobe is planning its next regular quarterly security update for Adobe Reader and Acrobat on 13 October.

Adobe has had a very difficult time this year, with its popular Reader and Acrobat products suffering so many problems that a Microsoft ‘Patch Tuesday’ style security update cycle has become necessary.

Cyber criminals see PDF-reading software as a good oppportunity to compromise computer systems as well as to install malware.

Adobe Shockwave critical update

Critical Adobe Shockwave flaw affects millions

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from Adobe.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

"This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here."

This issue is remotely exploitable.

Criminals are looking for ways to turn browser vulnerabilities into money.

Security vs. Usability

Usability and security have been long been at odds with each other in software design. The web browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time - for example, browsers used to give a slight warnings if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them.

Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a "reasonable but not excessive" security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the "make the user make the choice" model to the "block and require explicit override action" model.

In some cases the security of the browser has had a major impact on Web site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one time or another. This type of malware uses various techniques to steal users' credentials. One of these techniques is form grabbing - basically hooking the browser's internal code for sending form data to capture login information before it is encrypted by the SSL layer.

Another technique is to log keyboard strokes to steal credentials when the user is typing information into a browser. These techniques have spawned various attempts by Web site designers to provide more advanced authentication with a hardware token and use of various click-based keyboards to avoid key loggers.

Another usability feature of the Web browser that has been attacked by malware is the auto-complete functionality. Auto-complete saves the form information in a safe location and presents the user with options for what he typed before into a similar form. Several families of malware,such as the Goldun/Trojan Hearse, used this technique very effectively. The malware cracked the encrypted auto complete data from the browser and send it back to the central server location without even having to wait for the user to log in to the site.

Giving all the vulnerabilities out there and the willingness of attackers to exploit them, you might think that users would be clamoring for more security from their browsers. And some of them do as long as it doesn't prevent any of their desired features from working.

There are a number of documents available that list steps one can take to lock down a Web browser. For example, one of those steps often is something like "Disable JavaScript." But few people actually ever do that - at least not permanently, because using a browser with JavaScript turned off is annoying, and in many cases prevents you from visiting sites you have legitimate reasons to visit.

"Attack and defense strategies are evolving, as the use and threat models. As always, anybody can break into anything if they have sufficient skills, motivation and opportunity. The job of browser developers, network administrators, and browser users is to modulate those three quantities to minimize the number of successful attacks."