Starting in March 2022, Google Chrome will start supporting the new Private Network Access standard which will help protect local network devices from malicious internet traffic. Private Network Access, or PNA, will prevent malicious websites from using the victim’s browser as a proxy to relay cross-site request forgery attempts to devices on the user’s localRead more
Blog
Google is rolling out a new version of their Chrome web browser that fixes a remote code execution vulnerability that is under attack in the wild – the seventh zero day in Chrome so far this year. The new version of Chrome (91.0.4472.114) on Linux, Windows, and Mac resolves four high severity vulnerabilities including CVE-2021-30554Read more
Firefox has rolled out a new Site Isolation feature that greatly improves the security of the web browser by isolating every domain visited into a separate process. This provides protection against Meltdown and Spectre style attacks and cross site attacks that attempt to thwart the Same-Origin policy. Known internally as Project Fission, this significant developmentRead more
At the start of 2018 details were first published of the theoretical Spectre attack which exploits flaws in the design of modern CPU to allow data to be stolen from memory. Now Google has published a working proof-of-concept. Spectre is the name given to a number of attacks that are variations on a theme –Read more
Web browsers are adding more TCP ports to their block lists in an attempt to prevent exploitation of NAT Slipstream attacks. NAT Slipstreaming is an attack which tricks the NAT router into allowing external traffic through the NAT firewall to target any internal network device by abusing protocols such as SIP or H.323 where thisRead more
Google has issued an urgent update for Chrome which patches a zero-day vulnerability under active exploitation. The Chrome team took just one day from report of the vulnerability to issuing the patch, such is the danger posed by this flaw. The patch is included in Chrome version v86.0.4240.111 (CVE-2020-15999) – any older versions should beRead more
Mozilla and Google have confirmed they will be aligning with Apple and their browsers will reject any web server certificate issued after 1st September which is valid for more than a year. Apple announced the move to only support 1 year certificates back in February and now Mozilla and Google (and thus all the ChromiumRead more
Microsoft has released details of a zero-day remote code execution vulnerability which is being actively exploited to attack Windows computers. It affects all versions of Internet Explorer running on Windows 7, 8.1 and 10. The problems lies in one of the two javascript engines available within IE. Since a webpage can request IE to useRead more
A serious remote command execution vulnerability in the PHP-FGM module when used with NGINX has been disclosed in CVE CVE-2019-11043. Since NGINX does not have a native in-process PHP runtime and uses PHP-FGM instead, the PHP-FGM module is widely used. By submitting a specially crafted (yet simple) HTTP requested to the NGINX server, it isRead more
The German Federal Office for Information Security (or BSI) has published a report (in German) which evaluates the most popular modern web browsers against the BSI’s own guidelines for ‘modern secure browsers’ and only Firefox emerges with flying colours. The audit examined Mozilla Firefox 68 (Extended Support Release), Google Chrome 76, Microsoft Internet Explorer 11,Read more
