Chrome to block NAT Slipstream @first

Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.

In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:

Support for the new Cookie Store API;

New features to allow easier modification of web fonts via CSS;

A new feature to let websites enumerate all the locally installed fonts;

Support for pan, tilt, and zoom controls on webcam streams; and,

Support for debugging WebAuthn operations via the Chrome DevTools.

NAT Slipstream attack fixes

This technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.

FTP deprecation

Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81 but due to Covid this got delayed

The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.

Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.

Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.

Google 0 Day patched

Google has addressed two zero-day vulnerabilities, actively exploited in the wild, addresses in the release of Chrome version 86.0.4240.198.

Tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources. Google experts did not disclose the way the flaws have been exploited in the attacks.

The CVE-2020-16013 flaw is an inappropriate implementation in V8 Chrome component.

The CVE-2020-16017 flaw is a use after free memory corruption bug in Site Isolation

It is interesting to note that one of the vulnerabilities was reported to Google the same day the company released the new version of the popular browser.

The other three zero-days patched by Google in the last weeks were:

  • CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.
  • CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome.
  • CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android.

It’s mind boggling to update chrome day after week after months to get protection against Exploit

Google and Mozila patched the Vulnerability exploited in Chinese hackathon

Mozilla and Google have already patched the critical Firefox and Chrome vulnerabilities exploited recently by white hat hackers at a competition in China.

The Firefox vulnerability, tracked as CVE-2020-26950, has been described as an issue related to write side effects in MCallGetProperty opcode not being accounted for.

The flaw was fixed with the release of Firefox 82.0.3, Firefox ESR 78.4.1 and Thunderbird 78.4.2

The Chrome vulnerability disclosed and tracked as CVE-2020-16016 and it has been described by Google as an inappropriate implementation issue in the base component. Google fixed it with an update released for Chrome 86 on Monday.

CVE-2020-26950 and CVE-2020-16016 were demonstrated by a team from Chinese cybersecurity firm Qihoo 360. This team earned over $740,000 of the total of $1.2 million awarded to participants at Tianfu Cup. For the Firefox vulnerability they earned $40,000, while for the Chrome flaw, which allowed them to achieve remote code execution with a sandbox escape, they received $100,000.

Google Successive 0 Day

Google has just released a fix for the second actively exploited Chrome zero-day security flaw in two weeks. CVE-2020-16009 is a v8 bug used for remote code execution,The fix applies to Windows, macOS and Linux.

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” The Chromium bug entry with more details is locked to all but Chrome developers, as you might expect with a flaw that’s not totally been fixed.

Google fixed a previous, technically unrelated, zero-day flaw two weeks ago (Oct. 20), and related browsers quickly followed suit.

Google revealed a Windows zero-day flaw that was being used in combination with the first Chrome flaw to hijack PCs via malicious websites. It’s not clear if yesterday’s new flaw has anything to do with those attacks.

Most installations of Chrome and Chromium variants will update themselves if you close the browser and then relaunch it again, although not all Chromium variants may yet have released new versions to patch this flaw.

You want to update to version 86.0.4240.183 in Chrome . Although the latter doesn’t have that version ready yet. In Edge, the latest version is 86.0.622.61.