New Security Flaw in Google's Chrome Browser Lets Hackers Access Sensitive User Data



Hackers are always finding new ways to exploit bugs and compromise sensitive user data, a recently discovered flaw in Google Chrome which could lead to arbitrary code execution, allows attackers to view, edit or even delete confidential data.

The vulnerability in the browser was initially reported by the Centre for Internet Security (CIS) and it could have allowed hackers to execute arbitrary code in the context of the browser. In order to keep the flaw in check, Google Chrome released an immediate update for its users round the globe.

In the upcoming week, Google will be releasing patches for Mac, Windows and Linux, as per the reports. However, the older versions of the search engine, which are the versions before 76.0.3809.132 are prone to attack.

To be on a safe side, users are advised to have their browsers updated and be aware of suspicious websites. The report also recommends users to avoid following the hyperlinks from unknown sources.

“A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.” Reads the report.


Google now pays more for disclosing vulnerabilities in Chrome OS and some Play Store apps

One of the hardest aspects of maintaining a cross-platform product is ensuring its security. Vulnerabilities can be exploited on various platforms in various scenarios, and it’s almost impossible for literally any company’s security department to fix all of them on their own. That’s why companies often use vulnerability disclosure rewards programs, which basically means giving money to someone who finds an issue in your product. Google has several programs of this kind. One of them is the Chrome Vulnerability Rewards Program, which awards security researchers for exploiting vulnerabilities in Chromium, Chrome, and Chrome OS. As you already know, there are a lot of Chromium-based browsers on the market, so the security of this product is crucial.

Today, Google is increasing the minimum rewarding amount for this program. Currently, security researchers receive a maximum amount of $5,000 on baseline reports. These exploits are mostly around escaping the sandboxing. Google is tripling the amount of reward for high severity baseline reward, bringing it up to $15,000. The price of high-quality reports with functional exploits of the same category got doubled. Previously it was $15,000, but after today Google will pay $30,000 for these kinds of exploits. Google is also increasing the bonus from $500 to $1,000 for exploits found via Chrome Fuzzer, which lets security researchers use Google’s hardware and scale to replicate the exploits.

The Google Play Security Reward Program got an update, too. This program only covers apps that have specifically opted-in.

- The reward for remote code execution bug went from $5,000 to $20,000
- The reward for theft of insecure private data went from $1,000 to $3,000
- The reward for accessing protected app components went from $1,000 to $3,000

To put it in short, Google decided to show more appreciation for all the security researchers that help ensure the security of their product. The changes will go into action today. You can start looking for vulnerabilities if you are competent enough. Maybe you’ll get some reward from Google.

Zero-day vulnerability in Internet Explorer discovered

According to security researchers at Chinese web giant Quihoo 360, hackers are using a zero-day vulnerability in Internet Explorer kernel code to infect Windows computers with malware.

The researchers say that an advanced persistent threat (APT) group is using the vulnerability to infect victims on a global scale by sending malicious Office documents to selected targets.


These documents are loaded with what they call a "double-kill" vulnerability, which affects the latest versions of Internet Explorer and any other applications that use IE kernel. When victims open the office document, the bug launches a malicious webpage in the background to deliver malware from a remote server.

"After the target opens the document, all exploit code and malicious payloads are loaded from a remote server," the researchers wrote in a blog post on the Chinese platform Weibo.

The researchers said that the attack involves the use of a public User Account Control (UAC) bypass, reflective DLL loading, fileless execution, and steganography; they also provided a diagram that roughly outlines the attack, with Chinese annotations.


The company says that it has reported the vulnerability to Microsoft and will be giving them appropriate time to find a patch before it reveals more details about the bug.

Microsoft has neither confirmed nor denied the attacks, but has given the following statement:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide remediation via our current Update Tuesday schedule.

Security flaw detected in popular Dolphin and Mercury browsers

Rotologix, a cyber-security enthusiast, has found out zero-day flaws, which could allow an attacker to perform remote code execution, in two popular Dolphin and Mercury Android mobile browsers, which have 100 million users.

The remote code execution exploit allows an attacker to replace the browser's theme package with an infected counterpart.

“The Mercury Browser for Android suffers from an insecure Intent URI scheme implementation and a path traversal vulnerability within a custom web server used to support its WiFi Transfer feature. Chaining these vulnerabilities together can allow a remote attacker to perform arbitrary reading and writing of files within the Mercury Browser's data directory,” the researcher posted in a blog post.

It is said that the exploit allows the attackers to modify the downloading and applying new themes functions to the browser. Those who are affected, need to download, and apply a new Dolphin browser theme all again.


And for Dolphin, Rotologix said, "An attacker with the ability to control the network traffic for users of the Dolphin browser for Android, can modify the functionality of downloading and applying new themes for the browser. Through the exploitation of this functionality, an attacker can achieve an arbitrary file write, which can then be turned into code execution within the context of the browser on the user's device.”

Google Patched High-Risk Vulnerability in Chrome Browser

Google released chrome version 15.0.874.121 that fix the High-Risk Vulnerability in Javascript Engine named V8. This vulnerability is an out-of-bounds error that can cause a memory-corruption condition and lead to remote code execution.

Google paid security researcher Christian Holler $1,000 for discovering and reporting this vulnerability.

Download the Latest Version From here:
http://www.google.com/chrome

Facebook blames Browser Vulnerability for the pornographic spam Attack


Yesterday, The pornographic spam hits Facebook, Explicit and Violence posted in lot of users wall(without user knowledge).


Facebook have acknowledged for this spam attack.  According to their statement , the attackers exploits the Browser Vulnerability that allows "Self-XSS".

Self-XSS(Cross site Scripting)-An attacker can execute Malicious Javascript code on your browser that bring the access to the whatever website you visit (not only Facebook).

Most of time, the spam message ask you to copy the javascript and enter in the browser url box in order to get something(Eg: Gift card or Facebook Stalker).  This results in executing the Malicious code and results in account hacking or spreading spam message.

It is unclear which browser is vulnerable to .  Hope they will fix it soon.

If you like to know more about Self-XSS Attack, please check here:
Self-XSS, one of Social Engineering Attack.