Tag Archive for: certs

CERTs Urge Patching of Google Chrome, Android Flaws

/in


Application Security
,
Governance & Risk Management
,
Incident & Breach Response

Exploitation May Lead to DoS, Data Privacy Breach, RCE Attacks

Mihir Bagwe
February 10, 2022    

CERTs Urge Patching of Google Chrome, Android Flaws
CERTs say to patch Chrome and Android flaws now.

Several global Computer Emergency Response Teams have issued alerts as well as fixes for Google Chrome browser and Android operating system vulnerabilities.

See Also: Live Webinar | How to Stop the Four Horsemen of the Data Loss Apocalypse

Countries issuing the alerts include France, India and Canada.

Google Chrome Vulnerabilities

The Canadian Center for Cyber Security, in its advisory, says that all Chrome for desktop versions prior to 98.0.4758.80 are vulnerable to all flaws reported by the technology giant.

Google Chrome, in its Chrome release update, says that a total of 27 security fixes, including 10 high-, 14 medium- and 3 low-severity vulnerabilities, have been made. Of these, 19 vulnerabilities were disclosed by external security researchers, while the rest were found by internal researchers during “internal audits, fuzzing and other initiatives.”

The vulnerabilities in Google Chrome browser and OS can be used by a threat actor to execute arbitrary code, according to CERT-In. These vulnerabilities exist due to the following conditions:

High-Severity Flaws

Medium-Severity Flaws

Low-Severity Flaw

The latest stable channel update of Chrome for desktop includes fixes for all operating systems and the following version numbers: Windows (98.0.4758.80/81/82), Mac and Linux…

Source…

Week in review: Kali Linux 2020.3, mobile security threats, ISO certs at risk of lapsing – Help Net Security

/in

Week in review: Kali Linux 2020.3, mobile security threats, ISO certs at risk of lapsing  Help Net Security
“mobile security news” – read more

Google Play Touts Certs in Quest For Enterprise Security

/in

Google has snagged three security and privacy certifications for Google Play as it tries to appeal to enterprises despite numerous malicious apps and security issues.
Mobile Security – Threatpost

Government Shutdown Means Government Website Security Certs Aren’t Being Renewed

/in

With all the news about the ongoing government shutdown and the big messes it has caused, it’s creating lots of little messes with potentially big impact as well. For example, scammers and robocallers have upped their game during the shutdown, knowing that (1) there’s no one investigating these scams right now, and (2) as I discovered when I tried to report one, the FTC has literally shut down the web portal where you used to be able to submit complaints.

Another one, however, pointed out last week by Netcraft, is the fact that government website security certificates are expiring… and there’s no one around to renew them:

Dozens of U.S. government websites have been rendered either insecure or inaccessible during the ongoing U.S. federal shutdown. These sites include sensitive government payment portals and remote access services, affecting the likes of NASA, the U.S. Department of Justice, and the Court of Appeals.

With around 400,000 federal employees currently furloughed, more than 80 TLS certificates used by .gov websites have so far expired without being renewed. To compound the situation, some of these abandoned websites can no longer be accessed due to strict security measures that were implemented long before the shutdown started.

As Netcraft notes, some of those sites you can’t even get around the security warning, such as certain DOJ sites:

In a twist of fate, the usdoj.gov domain — and all of its subdomains — are included in Chromium’s HSTS preload list. This is a prudent security measure which forces modern browsers to only use secure, encrypted protocols when accessing the U.S. DoJ websites; however, it will also prevent users from visiting the HTTPS sites when an expired certificate is encountered. In these cases, modern browsers like Google Chrome and Mozilla Firefox deliberately hide the advanced option that would let the user bypass the warning and continue through to the site.

There are some government websites that you can click through on, but as Netcraft notes, this could allow for man-in-the-middle attacks or other security risks:

This introduces some realistic security concerns, as task-oriented users are more likely to ignore these security warnings, and will therefore render themselves vulnerable to man-in-the-middle attacks.

If the shutdown continues for a while, this problem could get significantly worse. I know that Wall Street put pressure on the government to make certain IRS employees suddenly deemed “essential” to help Wall Street keep functioning smoothly, perhaps someone might want to deem the people renewing security certs similarly essential? Or, you know what, maybe just re-open the damn government.

Permalink | Comments | Email This Story

Techdirt.