Browsers are the essential tools people use in computing today, so it’s essential their creators keep them secure. On Thursday makers of two of the most common browsers issued news that should warm the hearts of CISOs.
First, Google said that starting Sept. 1 Chrome will begin pausing many Flash-based ads by default to improve performance for users. More importantly it will increase security. Security blogger Graham Cluley immediately declared this another nail in the coffin of Flash.
Most Flash ads uploaded to Google AdWords are automatically converted now to HTML5. Those that are submitted next Tuesday in Flash won’t run until the user gives the okay.
Flash has been a useful way for legitimate organizations to spread documents, PDFs and videos, but holes have also meant it can be easily exploited by malware authors.
This has mean that infosec teams have had to regularly patch systems to make sure they are running the latest version of the plug-in. Recently smart CISOs have been demanding browsers be set to force users to click to play Flash content to try to ensure staff only allow known content to run.
“But, be warned,” Cluley added, “disabling or nobbling Flash in just your browser may not be enough to protect your computer from infection – as it’s perfectly possible for Flash vulnerabilities to be delivered to your PC by routes other than the web.”
Meanwhile Mozilla updated Firefox to version 40.0.3 on Thursday to address two serious vulnerabilities, as outlined by Security Week.
One, rated critical, is a use-after-free triggered when a <canvas> element is resized (CVE-2015-4497). An attacker exploits the vulnerability by setting up a malicious webpage that causes Firefox to crash. The weakness can potentially be exploited to execute arbitrary code with the privileges of the attacked Firefox user.
The second, rated high-severity, has been described as an add-on notification bypass through data URLs (CVE-2015-4498). Firefox doesn’t display warning prompts when a user enters a URL that points to an add-on directly in the browser’s address bar. But an attacker could manipulate a data: URL on a loaded page to simulate direct user input and bypass the installation prompt. An attacker can also make the installation prompt appear on top of a different site by triggering a page navigation right after the add-on installation has been initiated.
A malicious actor could exploit this vulnerability to get users to install a rogue add-on by tricking them into thinking that the program is from a trusted source.