critical Chrome bugs has been patched

Google on Tuesday patched several vulnerabilities in Chrome, including two a French security company said could be used to bypass the browser's anti-exploit technology.

But Chrome 11.0.696.71, which Google rolled out yesterday to users via its automatic update mechanism, does not patch the flaw that Vupen researchers said earlier this month could be exploited on Windows 7. Tuesday's security update was the second for the Chrome "stable" build -- the most polished version of the browser -- this month. Google fixed four vulnerabilities in the update, including two rated "critical," the category typically reserved for bugs that may let an attacker escape Chrome's "sandbox." Google has patched five critical bugs so far this year. One of the remaining pair of flaws was ranked "high" -- and got the researcher who reported it a $1,000 bug bounty -- while the other was labeled "low" on Google's four-step threat scoring system. The two critical vulnerabilities were credited to Google's own security engineers. Although Google declined to confirm that the two most serious bugs could be used by attackers to break out of the Chrome sandbox, and thus plant malicious code on the computer, French security firm Vupen said that that was likely. "The vulnerabilities fixed today and related to GPU and blob handling are a typical example of critical vulnerabilities that can affect Chrome and can be exploited to execute arbitrary code outside the sandbox," said Chaouki Bekar, Vupen's CEO and head of research, in an email reply to questions. Still unpatched, said Bekar, is the bug or bugs that Vupen said its researchers found, then figured out how to exploit, earlier this month. "The recent flaws we discovered in Chrome, including the sandbox bypass, remain unpatched and our exploit code works with version 11.0.696.71, too," said Bekar. Those vulnerabilities made news earlier this month when Vupen announced it had hacked Chrome by sidestepping not only the browser's built-in sandbox but also by evading Windows 7's integrated anti-exploit technologies. Within days, several Google engineers denied that the bugs Vupen exploited were in Chrome itself, claiming instead that the French firm leveraged a flaw in Adobe's Flash, which Google bundles with Chrome. Chrome has been resistant to attack, primarily because of its sandbox technology, which is designed to isolate the browser from the rest of the machine, making it very difficult for a hacker to execute code on the computer. For example, Chrome has escaped unscathed in each of the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program. No other browser included in Pwn2Own has matched Chrome's record at the contest. On Tuesday, Google spokesman Jay Nancarrow declined to comment further about the Vupen exploit claims, and referred to previous statements that Google was unable to investigate the bugs because Vupen would not share details of the flaws. Last year, Vupen announced a change in its vulnerability disclosure policies, saying it would no longer report bugs to vendors -- as do many researchers -- but would reveal its work only to paying customers. According to Web measurement company Net Applications, Chrome accounted for 11.9% of all browsers used last month, putting Google's program in third place behind Microsoft's Internet Explorer, with 55.1%, and Mozilla's Firefox, with 21.6%. Chrome 11 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">critical Chrome bugs has been patched"https://www.voiceofgreyhat.com/2011/05/critical-chrome-bugs-has-been-patched.html</a>

Chrome OS Has Serious Flaws, Said Researchers

Flaws could undermine Google's focus on security of Chrome-powered devices. Since Google's Chrome operating system is built to be used connected to the web, users' files and work will mostly be saved in the cloud. Using Google Docs applications for example, automatically stores the work on Google's servers so you can access it from anywhere across a variety of devices.

Google believes this is the future of computing, and its Chrome OS is designed specifically for Cloud-based use. It also allows Google to talk up security, as your documents are stored and well protected in the Cloud, whereas if somebody were to steal your Chromebook, they won't find all of your files on your HDD like they will if they steal your notebook PC.
However, researchers at an independent security firm say that Chrome's reliance on web computing also makes it vulnerable in other ways. WhiteHat Security researcher Matt Johansen was paid $1,000 by Google for reporting a flaw in the Chrome OS note-taking application that he successfully exploited to hijack a Google Mail account.
Since then, Johansen has said he found the same basic flaw with many other applications (or extensions). "This is just the tip of the iceberg," he told Reuters. "This is just evolving around us. We can see this becoming a whole new field of malware."

Johansen says the key to for Chrome OS hacking is to somehow capture data that is being sent and received by the Chrome browser, to and from the Cloud. "I can get at your online banking or your FaceBook profile or your email as it is being loaded in the browser," he said.
"If I can exploit some kind of Web application to access that data, then I couldn't care less what is on the hard drive." Such snooping could be done by exploiting a vulnerability found in a Chrome extension, for example. Google has recently revealed plans to improve the screening of Chrome extensions to avoid security problems. "Chrome is trusting these extensions more than it would be trusting just another website," Johansen said, referring to how the operating system gives extensions sweeping rights to access data stored on the cloud.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Chrome OS Has Serious Flaws, Said Researchers"https://www.voiceofgreyhat.com/2011/06/chrome-os-has-seroius-flaws-said.html</a>

Google begins war against Windows

Google does battle with Microsoft in most of its business areas, but it's gearing up to tackle the big daddy of them all: Windows.

With Windows -- and Macs and other PC operating systems -- Google sees an inefficient, costly, and decidedly 20th century mode of computing. Data is stored on each PC's hard drive, so if a laptop is lost or damaged, all the data stored on it could be gone forever too. And when PCs break, they're expensive and time-consuming to fix.
 
That's especially true in the corporate world. Gartner estimates that each desktop in a corporation costs between $3,000 and $5,000 per year to manage. Laptops can cost even more.

Ironically, all that spending means offices end up with old, rickety computers that the users would never buy for themselves. The high cost of tech support makes it prohibitively expensive for many companies to keep their hardware and software up to date. Services firm NetApplications says that more than 50% of computers are still using Windows XP -- a 10-year-old operating system.

Google's (GOOG, Fortune 500) solution: Chrome OS, a Web-based operating system that is set for release on June 15.

On computers running Chrome OS, all of a user's information is stored in the cloud, in remote servers controlled by Google or other companies. Instead of a desktop software model, which relies on installed apps like Microsoft (MSFT, Fortune 500) Outlook and Word, customers will use on Gmail or another Web mail program, and Google Docs or Office 365, which exist online only. (Yes, you can run Microsoft's cloud Office software on a Google Chrome device.)

That goes for IT departments too. Intricate administrative software is replaced by a Web page that allows tech staff to manage all Chrome OS PCs. And Chrome OS automatically updates with the newest version, saving businesses from spending a fortune deploying new software versions.

"We're venturing into a really new model of computing," Sergey Brin, Google's co-founder, said at a press conference this week. "This head-to-toe software model eliminates a lot of complexity. Complexity is torturing everyone, and that's a flawed model."
0:00 / 2:51 Google's 'me too!' music cloud

Google believes it can save businesses at least 50% on their desktop support expenses if they switch to Chrome OS.

But Google has a long, long uphill battle to fight against the entrenched corporate behemoth that is Microsoft Windows. More than 90% of the world's computers run Windows.

Not every business is ready to simplify its hardware, since many rely on high-end software that does not yet exist as a Web application. And Google has had a shaky relationship with the enterprise in the past, gaining only tepid support for its cloud-based business applications suite.

Also, this has been tried before with practically zero success.

Nearly 20 years ago, Oracle CEO Larry Ellison predicted that "thin client," hard-drive-less desktops connected to and managed by a server would be the future of business computing. Sun Microsystems -- now owned by Oracle (ORCL, Fortune 500) -- also tried and failed to get businesses to adopt thin clients.

Google acknowledged past failures but says that this time, it's different. The company surveyed 400 businesses of all sizes and found that 75% said they could migrate to Chrome OS.

People are now more accustomed to running applications out of a browser, Google executives say. The company partnered with virtualization giant Citrix to allow Chrome OS computers to run Windows applications hosted in the cloud, letting businesses run Adobe (ADBE) Photoshop, for instance, on Chrome OS.

Also, unlike pervious attempts, Google is providing both the operating system and the computer as one package: For $28 per user per month ($20 for government offices and schools), companies can rent "Chromebook" netbooks from Google and get support included.

"For the first time, hardware and software are being packaged together as a service," said Sundar Pichai, Google's senior vice president of Chrome. "We think this can fundamentally change the way people use computing in companies."

As evidence that companies of any size can deploy Chrome OS, Google itself is in the process of switching over to the new operating system.

"We will be deploying them increasingly internally," Brin said. "I hope to report next year that we have a very small percentage of anything other than Chromebooks at Google."

Google thinks it can change the face of computing. The only obstacles: The world's largest software maker, notoriously stubborn IT departments and decades of history going against it.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google begins war against Windows"https://www.voiceofgreyhat.com/2011/05/google-begins-war-against-windows.html</a>

Google engineers deny Chrome hack exploited browser's code

Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.

Several Google security engineers have countered claims that a French security company found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company's browser.

Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe's Flash, which Google has bundled with the browser for over a year.

Google's official position, however, has not changed since Monday, when Vupen announced it had successfully hacked Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

"The investigation is ongoing because Vupen is not sharing any details with us," a Google spokesman said today via email.

But others who work for Google were certain that at least one of the flaws Vupen exploited was in Flash's code, not Chrome's.

"As usual, security journalists don't bother to fact check," said Tavis Ormandy, a Google security engineer, in atweet earlier today . "Vupen misunderstood how sandboxing worked in Chrome, and only had a Flash bug."

"It's a legit pwn, but if it requires Flash, it's not a Chrome pwn," tweeted Chris Evans, a Google security engineer and Chrome team lead, using the security-speak term for compromising an application or computer.

Justin Schuh, whose LinkedIn account also identifies him as a Google security engineer, chimed in with , "No one is saying it's not a legit exploit. The point is that it's not the exploit [Vupen] claimed."

When asked to confirm the source of the vulnerabilities it exploited, Vupen was blunt in its refusal to share any information.

"We will not help Google in finding the vulnerabilities," said Chaouki Bekrar, Vupen's CEO and head of research, in an email reply to questions. "Nobody knows how we bypassed Google Chrome's sandbox except us and our customers, and any claim is a pure speculation."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors -- as do many researchers -- but instead would reveal its work only to paying customers.

Today's Twitter back-and-forth between Google's engineers and Bekrar grew heated at times.

"When it comes to critical vulnerabilities, all software vendors/devs (including Google) always try to downplay the findings," Bekrar said on Twitter .

"I was thinking something similar about researchers who inflate their accomplishments," Schuh replied , also on Twitter, to Bekrar.

The point made by Ormandy, Evans and Schuh was that Vupen didn't exploit a bug in Chrome's own code, but in Flash, which has been partially sandboxed in the stable version of the browser since early March 2011 .

While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.

"The Flash sandbox blog post went to pains to call it an initial step," said Evans. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."

The blog Evans referred to was published in December 2010 , where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."

Chrome's Flash sandbox is currently available only in the Windows version of the browser; Google has promised to implement it in the Mac and Linux editions, but has not yet done so.

While Bekrar later hinted that Vupen's exploit did leverage a Flash vulnerability, he said the attack code also took advantage of at least one other bug. "[Chrome's] built-in plug-ins such as Flash are launched inside the sandbox which was created by Google, so finding and exploiting a Flash or a WebKit vulnerability will fall inside the sandboxes and will not circumvent it," he wrote. "A sandbox bypass exploit is still required."

Chrome has a reputation as a secure browser, in large part because of its sandbox technology. Chrome is the only browser to have escaped unscathed at the last three Pwn2Own hacking contests, the annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.

In March 2011, no one took on Chrome at Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google engineers deny Chrome hack exploited browser's code"https://www.voiceofgreyhat.com/2011/05/google-engineers-deny-chrome-hack.html</a>

Security firm exploits Chrome zero-day to hack browser, escape sandbox

 French security company Vupen said today that it's figured out how to hack Google's Chrome by sidestepping not only the browser's built-in "sandbox" but also by evading Windows 7's integrated anti-exploit technologies.

Google said it was unable to confirm Vupen's claims.

"The exploit ... is one of the most sophisticated codes we have seen and created so far, as it bypasses all security features including ASLR/DEP/Sandbox," said Vupen in a blog post Monday. "It is silent (no crash after executing the payload), it relies on undisclosed ('zero-day') vulnerabilities and it works on all Windows systems."

Vupen posted a video demonstration of its exploit on YouTube.

According to Vupen, its exploit can be served from a malicious Web site. If a Chrome user surfed to such a site, the exploit executes "various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox at Medium integrity level."

Vupen used the Windows Calculator only as an example: In an actual attack, the "calc.exe" file would be replaced by a hacker-made payload.

Historically, Chrome has been the most difficult browser to hack, primarily because of its sandbox technology, which is designed to isolate Chrome from the rest of the machine to make it very difficult for a hacker to execute attack code on the PC.

For example, Chrome has escaped unscathed in the last three Pwn2Own hacking contests, an annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.

Last March, a team from Vupen walked away with a $15,000 cash prize afterhacking Safari, the Apple browser that, like Chrome, is built on the open-source WebKit browser engine.

But no one took on Chrome at 2011's Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.

The Vupen attack code also bypassed Windows 7's ASLR (address space layout randomization) and DEP (data execution prevention), two other security technologies meant to make hackers' jobs tougher.

Vupen said it would not publicly release details of the exploit, or the unpatched bug(s) in Chrome. "This code and the technical details of the underlying vulnerabilities will not be publicly disclosed," said Vupen. "They are shared exclusively with our Government customers as part of our vulnerability research services."

Last year, Vupen changed its vulnerability disclosure policies when it announced it would no longer report bugs to vendors, but instead would reveal its research only to paying customers.

Other security experts reacted today to the news of one or more Chrome zero-days, and to Vupen's practice of providing details only to its clients.

"I suppose that means we have a known Chrome 0-day floating around. That's fun," said Jeremiah Grossman, CTO of WhiteHat Security, in a Twitter message today.

"That also means for that the [government] is outbidding Google for bug bounties," Grossman added in a follow-up tweet.

"For now, the [government] still has more money than Google," chimed in Charlie Miller, the only researcher who has won cash prizes at four straight Pwn2Own contests.

Google, like rival browser maker Mozilla, runs a bounty program that pays independent researchers for reporting flaws in Chrome. Last month, Google paid out a record $16,500 in bounties for bugs it patched in a single update. In the first four months of 2011, Google spent more than $77,000 on bug bounties.

Google cited Vupen's policy of not reporting flaws as the reason it could not verify the French firm's assertions.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Security firm exploits Chrome zero-day to hack browser, escape sandbox"https://www.voiceofgreyhat.com/2011/05/security-firm-exploits-chrome-zero-day.html</a>

After Google Chrome Hack Sergey Glazunov Earnd $60,000 At Pwnium Contest

Sergey Glazunov, A Security Researcher Earn $60,000 At Pwnium After Google Chrome Hack

Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Glazunov discovered a remote code execution vulnerability in Chrome, that could be used by malicious hackers and cyber criminals to install and run code on innocent users' computers, just by them visiting a website. Glazunov, who is no stranger to reporting bugs in Chrome, won his substantial reward as part of the Pwnium competition run by Google at the CanSecWest conference in downtown Vancouver.
Senior Vice President of Google Chrome and Apps, Sundar Pichai, confirmed the successful hack on his Google+ page. Now that the hack is known throughout the developer world, Pichai understandably said, “Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">After Google Chrome Hack Sergey Glazunov Earnd $60,000 At Pwnium Contest"https://www.voiceofgreyhat.com/2012/03/after-google-chrome-hack-sergey.html</a>

Google I/O Kicks Off Tuesday: All Eyes On Android And New-Look Exec Team

Every major tech company in Silicon Valley takes at least one turn at San Francisco’s Moscone Center each year to show off their latest ideas and reinforce their standing among the community. This week, Google (NSDQ: GOOG) gets a shot, likely to highlight versions of its Android software for phones, tablets, and televisions while continuing to push a vision of computing with the Web at its center.

Google I/O has grown significantly since 2008, with the fourth incarnation set to kick off Tuesday. Nearly 5,500 attendees are expected to pony up for access to Google’s roster of engineers, who will present sessions on nearly everything Google, from search to Web application development to browsers to mobile applications. Here’s a breakdown of what to expect:

Android: Google’s most successful product outside of search, Android, will likely draw the most attention during the week. The smartphone version of Android has been a rousing success, but tablet versions have yet to create any serious alternative to Apple’s iPad. It would be surprising if Google didn’t address the tablet question in some detail, either through new operating system versions or applications.

Google TV: One version of Android that hasn’t really taken flight—Google TV—has been reported as worthy of an Google I/O slot. First introduced a year ago at this conference and launched last November, Google TV has faced opposition from the big network television companies and confusion among customers who encounter its remote controls. A preview of a next-generation version is expected, but enthusiasm for the concept in general is not strong leading into the show.

Chrome OS: Netbooks bearing Google’s browser-centric operating system were supposed to have been launched last year, but delays forced the project into a mid-2011 launch schedule. Now that it’s May 2011, presumably Google is ready to shed more light on exactly what types of Chrome OS netbooks will launch, and how much they will cost. It will also be interesting to see if Google talks up Chrome OS tablet-style devices, given that interest in the netbook has waned considerably since Chrome OS was first announced in 2009.

Web Standards: Google has used significant air time at the previous Google I/O conferences to urge adoption of HTML5 technologies as the pathway to a next-generation model of computing centered on the Web. This is still very much a work in progress. Expect Google to continue the evangelical call this week, with demonstrations of the types of sophisticated Web applications that are possible with HTML5 technologies.

Wild Cards: Some form of a Google music locker is inevitable, but has the company locked down enough of the details with the music industry for it to surface this week? Will Google Docs finally get offline access? Which Android tablet will Google give away to attendees, the Xoom or the Galaxy Tab?

Context: Google is a company that famously likes to celebrate its failures. That means Google I/O is probably its most celebratory week of each year, considering it has produced such notable failures as Google Wave and Google Friend Connect. As pointed out over the course of the weekend, Google doesn’t necessarily save some of its most winning ideas for Google I/O: Google Instant was announced at its own event last September, for example.

However, this is the first Google I/O with Larry Page back at the helm of the company, and therefore the first chance for him to really put his stamp on the show. Google has been furiously reorganizing its executive ranks in the weeks since Page has taken over, and this Google I/O may give hints as to the new pecking order at Google with respect to the types of projects demonstrated at the show, and the people chosen to pitch those projects to the world.

It’s a week in which all eyes will be on the company that dominates Web search, fumbles with social skills, and provides a defensible alternative to Apple (NSDQ: AAPL) in the mobile market. We’ll be at Google I/O both days, and will bring you highlights and analysis of Google’s week in the spotlight.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google I/O Kicks Off Tuesday: All Eyes On Android And New-Look Exec Team"https://www.voiceofgreyhat.com/2011/05/google-io-kicks-off-tuesday-all-eyes-on.html</a>

Stable Version of Chrome 12 released

Google Chrome 12 is now the stable release of Google’s web browser, bringing several improvements in security, privacy and graphics capabilities. Chrome now checks downloaded files for malware, and Google claims it has designed the feature in such a way that it doesn’t have to know which URLs you visited or which files you downloaded to be able to detect malicious files. You can now also fine tune the data that websites store on your computer, including Flash Player’s Local Shared Objects (also known as Flash cookies), directly from Chrome.

On the graphics front, Chrome 12 includes support for hardware-accelerated 3D CSS, which enables some nifty effects such as rotating and scaling videos. Try this Chrome Experiment to see some of the new features in action. Finally, Chrome 12 brings several minor improvements such as an improved interface for setting a homepage and searching for Chrome Apps directly from the address bar.

Click Here to Download Chrome 12

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Stable Version of Chrome 12 released"https://www.voiceofgreyhat.com/2011/06/stable-version-of-cjrome-12-released.html</a>

Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000

Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000

One of world's most popular web-browser Google Chrome has fallen victim at Pwnium 2 security contest which took place earlier on 10th October, at the Hack In The Box conference in Kuala Lumpur, Malaysia. A teenage hacker who goes by the pseudonym "Pinkie Pie" was successfully able to "fully exploit" Chrome, escaping the sandbox using only bugs within Chrome. The hack was done on a fully patched 64-bit Windows 7 system running the latest stable branch of Chrome. For his work, Pinkie Pie will receive the top prize of $60,000 from Google. 

This isn't the first time that "Pinkie Pie", also the name of a "My Little Pony - Friendship is Magic" character, has won money for exploiting Chrome. In March of this year, he was rewarded for vulnerabilities he used at Google's Pwnium contest, which took place during the Pwn2Own competition at CanSecWest, to break out of the browser's sandbox and execute code. In order to get his code to execute on the test system at the time, he had to combine a total of six vulnerabilities; the holes were later closed with the release of Chrome 18. Along with security specialist Sergey Glazunov, Pinkie Pie also won this year's Pwnie Award for the Best Client-Side Bug. What ever the full results of the Pwnium 2 competition will be announced during a talk by Google Software Engineer Chris Evans today that means, 11th October.

We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program. These bug bounty programs & such security contest indeed enhancing the security. 

-Source (The-H & SC Magazine)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000"https://www.voiceofgreyhat.com/2012/10/Pwnium2-Pinkie-Pie-Exploited-Google-Chrome.html</a>

NSS Said : IE9 Blocks Virtually all Socially Engineered Malware, Rather Than Other Browsers

A study prepared by NSS Labs concludes that Microsoft's Internet Explorer 9 blocks virtually all socially engineered malware, far more than rival browsers.
The study was designed to examine one aspect of security: how a browser handled a malicious URL, such as one received in a posting on a social network or an email. The NSS goal was to find the browser which identified, warned, and/or blocked malicious URLs from being viewed by the user.
As it did in 2010, Microsoft's IE9 with Smart Screen URL detection and Application Reputation topped the field, blocking 99.2 percent of all malicious emails. Google's Chrome 12 finished far behind, blocking 13.2 percent of all malicious URLs. Apple's Safari 5 and Mozilla Firefox 4 tied at 7.4 percent, with Opera 11 finishing dead last at 6.1 percent.

 

The NSS Labs study showed that, globally, all of the browsers tested showed improvement over an NSS study performed last year, with two exceptions: Safari and Mozilla's Firefox. A year ago, Microsoft IE9 blocked 99 percent of the malicious URLs, followed by Chrome 6 (3%), Safari 5 (11%), Firefox 3.6.15 (19%), and Opera 10 (0%).
NSS attributed Microsoft's success to its Application Reputation technology, which has attempted to categorize applications across the Internet.
"The significance of Microsoft's new application reputation technology cannot be overstated," the NSS report found. "Application reputation is the first attempt by any vendor to create a definitive list of every application on the Internet. This new capability helps users discern malware, and potentially unsafe software from actual good software. The list is dynamically created and maintained, much the same way Google, (or Bing) is continuously building and maintaining a library of content for search purposes."
The NSS tests sliced the potential for malware along one specific axis, socially engineered malware, a distinction Google objected to during the 2010 tests. ""Google Chrome was built with security in mind from the beginning and emphasizes protection of users from drive-by downloads and plug-in vulnerabilities," a spokeswoman said then.
NSS also found that the combination of SmartScreen and Application Reputation means that IE9 blocked new malware in just over half and hour, while Safari 5 and Firefox 4 required 4.91 and 6.07 hours, on average, to detect a new malicious URL. Chrome 12 and Opera 11, by contrast, required 17.7 and 18.4 hours, respectively. Over time, as the malicious URLs changed in response to detection, the browsers maintained their level of protection fairly consistently, NSS found.
"Not only has the effectiveness of the technology improved, but so has the speed at which it is able to identify socially engineered malware," Roger Capriotta, director of Internet Explorer product marketing, wrote in a blog post Monday. "For our Windows customers, this means fewer infections and headaches for you."
In its report, NSS said its findings were independent, and that it had not received funding from any vendor. 

-News Source (PC Mag)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">NSS Said : IE9 Blocks Virtually all Socially Engineered Malware, Rather Than Other Browsers"https://www.voiceofgreyhat.com/2011/08/nss-said-ie9-blocks-virtually-all.html</a>

Chrome 13 Stable Released With Print Preview & Instant Pages Support

As browser version numbers go, Chrome 13.0.782.107 sounds like it’s going to be less than exciting, the kind of build that delivers eight bug fixes and support for some minor HTML5 feature you’ve never heard of.
The reality is very different, though, with Google’s latest stable release providing a couple of important new features and a lengthy list of useful extras.
The headline addition has to be the long-awaited Print Preview. Unlike Firefox and IE, there’s no separate Print Preview menu option; you just click Print as normal, and the current page appears in a new tab, where you can choose your layout (portrait or landscape), the pages you need, your printer and so on, before printing your selection with a click.
While this generally works well, we do have one issue. If you want to see the standard Windows printer properties dialog then you need to click Advanced, which would be fine if it wasn’t for the fact that the Print Preview tab then immediately closes – not what we’d expect. Still, for the moment we’re just happy that Chrome has Print Preview in any form, the fine tuning can come later.
The other major new feature this time is support for Google’s “Instant Pages”, which means that when you run a Google search, Chrome will prefetch the top search result for you (if it’s very sure you’re going to click it). In our tests this worked only occasionally, but when it does the results are impressive, with the selected page popping onto the screen in a flash.
Of course, as with any prefetching, there’s a risk that you may be downloading content which you never access, a particular problem if you’re on a slow or expensive 3G connection. If you’d like to keep your bandwidth use to a minimum, you might prefer to turn this feature off by going to Options > Under the Bonnet and clearing “Predict network actions to improve page load performance”.

To Download Chrome 13 stable click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Chrome 13 Stable Released With Print Preview & Instant Pages Support"https://www.voiceofgreyhat.com/2011/08/chrome-13-stable-released-with-print.html</a>

Spammers are Exploiting Google+

Scammers have begun exploiting the launch of Google’s new Google+ social network, with a growing raft of spam emails that imitate Google+ invitations. Google+ is currently still in the testing phase following its launch last week, and users need to be invited by another Google+ member before they can sign up.

Fake invitations:-

However, some of those Google+ invitations are fake, and their links direct traffic to an online business called Canadian Family Pharmacy, which sells Viagra, according to Sophos. Sophos said the emails, distributed by a Canadian hacking group called Partnerka, look authentic.

“The spammers are no doubt hoping that the email will be hard to resist, as many people are eager to see what is being billed as Google’s answer to Facebook,” said Graham Cluley, senior technology consultant at Sophos, in a statement. “Research shows that last year alone, 36 million Americans bought drugs from online pharmacies, so this is a technique that is clearly continuing to work for spammers.”

Overall the scam is “amateur” in that it makes no attempt to use a site that looks like Google+ to harvest users’ personal information, Sophos said. While Facebook doesn’t allow friends lists to be exported to Google+, an extension is now available for Google’s Chrome browser that allows users to export friends data in a format that can be imported into Google+. Facebook has, however, begun modifying accounts to prevent the tool from working, according to Mohamed Mansour, who developed the Facebook Friend Exporter tool.

Google’s answer to Facebook:-

Google unveiled Google+ last week as its answer to Facebook, which has racked up some 700 million users in six-plus years. Seizing on the market leader’s seemingly cavalier attitude toward user privacy, Google envisions Google+ as a more nuanced approach to social networking that tries to give users complete control over what content they share online and with whom they share it. Available to users by invitation only for now, Google+ comprises four major components: Circles, Sparks, Hangouts and mobile, which includes instant photo and video uploads and group messaging.

Social Circles has been rumoured since March, and was at the centre of a clumsy smear campaign by Facebook which attempted to brand Google’s privacy as poor. Circles is a sharing service that lets users add circles, or groups of users united by common interests by dragging and dropping their profiles into a circle. Circles could include family, friends and colleagues.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Spammers are Exploiting Google+"https://www.voiceofgreyhat.com/2011/07/spammers-are-exploiting-google.html</a>

Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)

Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)

The search giant Google is offering a huge amount (total $1 million) of reward for those who will successfully hack the Google Chrome browser at the Pwn2Own Hacker Contest taking place next week (7 March, 2012). Google will reward those successful contestants at Pwn2Own with prices of $60,000, $40,000 and $20,000 – depending on the severity of the exploits that are demonstrated on a Windows 7 machine running the browser. The Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed.

Chrome is currently the only web browser eligible for entry into Pwn2Own that has never been successfully hacked. Contestants often note the difficulty of bypassing Google’s security sandbox as a reason for this. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team. “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”

Additional information can be found on the Chromium official blog.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)"https://www.voiceofgreyhat.com/2012/02/google-offers-1-million-for-hackers-to.html</a>

Web Browser Grand Prix 5

 

Three major released have landed since our last impromptu Web Browser Grand Prix (WBGP4): Chrome 12, Firefox 5, and Opera 11.50. Can Chrome or Opera regain the WBGP championship? Will Mozilla Firefox ever overtake Microsoft's IE9 in the rankings?
If it seems like it was only weeks ago when we were compelled to test the then-new Mozilla Firefox 4 against the reigning Web Browser Grand Prix champion Microsoft Internet Explorer 9 in Web Browser Grand Prix 4: Firefox 4 Goes Final, that's because it was only a few weeks ago.
In an attempt to curb the siphoning of its user base to Google, Mozilla decided to keep pace with the frenetic development cycle of Chrome. Firefox 5 is now a reality. But will Mozilla also keep up with innovation like Google? Furthermore, will a higher integer finally allow Mozilla to overtake arch-rival Microsoft in our performance metrics? Can former speed-kings Chrome and Opera reclaim the dual domination of our WBGP crown, as they did in 2010?

We've tightened up our suite of benchmarks for this article, cutting the fat that was Google's V8 JavaScript Benchmark and the redundant two-pixel variant of the GUIMark2 HTML5 Vector Charting test. We also fleshed it out by adding Facebook's JSGameBench, as well as battery life and reliability testing. But before we get to the benchmarks, let's get caught up on the latest developments in the continuing browser wars.
Opinions:-

The release of Firefox 5 was met with harsh criticism for its apparent lack of anything new. It has been said that Firefox 5 should have been called Firefox 4.1 or 4.2. Or even 4.02.
There is also a growing concern over whether the new rapid release schedule jives with IT departments. Firefox became a viable choice for many companies during the version 2 and 3 days. Mozilla also offers the preferred development platform for most Web designers. Basically, Firefox gained the reputation of being the most stable choice. By mimicking Chrome's development cycle, Mozilla may have shot itself in the foot.
Smack Talk:-

Microsoft took a shot right across the bow of Google and Mozilla by announcing that WebGL is “harmful,” and that IE10 would not be utilizing the specification. Several experts came out in support of Microsoft's assertion, though it should be noted that Redmond may have a dog in this fight with DirectX.

Attacking Mozilla even further, the Internet Explorer development team sent the Firefox development team a cupcake to celebrate the release of Firefox 5. Mozilla also received cakes from Microsoft for the release of Firefox 3 and 4. Full cakes. Obviously, this is in response to the criticism that Firefox 5 is nothing more than a minor update to Firefox 4. The included note read: "Congratulations on shipping! Love, The IE Team". "Congratulations on shipping" might have been in reference to the frequent delays that plagued Firefox 4, which was eventually made available more than six months late. Now that's a classy way to rag on somebody. Not missing a single opportunity to slam its competition, Microsoft also capitalized on the other major criticism of Firefox 5 when an IE developer boasted Microsoft's commitment to IT.
Mozilla shot back with a blog post addressing the IT issue, although in a very non-concrete way:

"We are exploring solutions that balance these needs..."

Not to be outdone, an Opera employee also had this to say in regard to rapid release schedule:

“Despite the version number (11.50), we've packed a lot of new features into it. While other browsers rush to release whole new version numbers with small tweaks, I think we've kept traditional versioning, while simply releasing a little faster.”Obviously, this comes at an unfortunate time for Mozilla, but one cannot help but wonder if this comment was meant for Google. Opera and Google have gotten into it pretty heavily in the past, and, for a time (before IE9), Chrome and Opera swapped places on a semi-monthly basis in the performance charts.

-News Source (Tom's Hardware)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Web Browser Grand Prix 5"https://www.voiceofgreyhat.com/2011/07/web-browser-grand-prix-5.html</a>

Internet Explorer & Firefox Also Became Victim To Hackers At Pwn2Own

Internet Explorer (IE 9) & Firefox 10.0.2 Also Became Victim To Hackers At Pwn2Own

At Pwn2Own contest the web-browsers are getting hacked in a series. First it was the turn of Google Chrome where Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Then the time came for Microsoft's Internet Explorer. A team from a French security firm managed to hack IE 9 on a fully patched Windows 7 SP1 machine. The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system. They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode, which is effectively a sandbox. According to VUPEN founder Chaouki Bekrar, these particular flows have existed in previous incarnations of the browser - all the way back to IE 6 - and will very likely work on the upcoming IE 10.

Then the turn of Firefox came. Mozilla’s Firefox is the latest browser to fall victim to hackers at this year’s Pwn2Own hacker contest. Two researchers working together – Willem Pinckaers and Vincenzo Iozzo — exploited a single zero-day vulnerability in the latest Firefox 10.0.2 on a fully patched Windows 7 SP1 PC to cart off a $30,000 cash prize.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Internet Explorer & Firefox Also Became Victim To Hackers At Pwn2Own"https://www.voiceofgreyhat.com/2012/03/internet-explorer-firefox-also-became.html</a>

Zero-Day Vulnerability In Flash Patched By Adobe

Zero-Day Vulnerability In Flash Patched By Adobe 

Yet another Zero day vulnerability found in Adobe Flash Player. Earlier hackers found zero-day exploit in flash player which can allow an attacker to hack you web-cam remotely later Adobe patched that. Before releasing Flash Player 11 Adobe issued new privacy policy and security update but now it seems that those are of zero use. 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Version:- 

• Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems

• Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Later Adobe confirmed that and immediately released a patch to close the security hole. Through this security release Adobe also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Google's Chrome Web browser, which directly integrates Flash into its software (unlike competing browsers) also received an update to reflect Adobe's patch update. 

Recommendation From Adobe:-

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6. For further details click here.

Earlier in 2011 another Flash Player bug found in Blackberry OS & later fixed by the developer and also last year adobe closes serious security hole in Acrobat 9X & Adobe Reader.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Zero-Day Vulnerability In Flash Patched By Adobe"https://www.voiceofgreyhat.com/2012/02/zero-day-vulnerability-in-flash-patched.html</a>

Firefox with Bing By Microsoft & Mozilla

Mozilla has teamed with Microsoft to bring more Bing to Firefox. Mozilla and Bing are pleased to make available Firefox with Bing, a customized version of Firefox that sets Bing as the default search engine in the search box and AwesomeBar and makes Bing.com the default home page.  (Existing Firefox users can also make these changes by installing the Bing Search for Firefox Add-on)

Of course, any user of Firefox can go into the browser's settings and make those changes themselves if they want, and there is even a "Bing Search for Firefox" add-on that will do the same. But many users don't mess with their settings too much, which is why Google (the usual default for Firefox) is the most widely used search engine among Firefox users. Google competes with Bing on the search side and Google's Chrome browser competes with Firefox. Microsoft, of course, makes a Firefox rival in Internet Explorer. Mozilla, in a blog post, said that "nearly 20 customized versions of Firefox" are available from its partners, including Bing, Yahoo (which now uses Bing to power its search as well), Twitter and Yandex.

To Download firefox with Bing here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox with Bing By Microsoft & Mozilla"https://www.voiceofgreyhat.com/2011/10/firefox-with-bing-by-microsoft-mozilla.html</a>

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

In the official blog post Mozilla confirmed that they have blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. "The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer. This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms. Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied."- Said Mozilla
Unlike Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled. The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist"https://www.voiceofgreyhat.com/2012/04/mozilla-put-older-vulnerable-versions.html</a>

Apple’s Based Networks are More Vulnerable to Attack than Windows (BH 2011)

For many years, Apple enjoyed security through obscurity. The market share for Mac computers was so small that malware creators bypassed it to go after the much bigger target, Microsoft Windows. Not anymore.

Apple’s market share has been slowly rising and the popularity of the iPhone has put Apple’s products into the spotlight. Hackers are taking notice and they’re figuring out that Apple’s computers have security vulnerabilities, some of them more severe than Windows machines, according to a talk by the iSEC Partners security consulting team at the Black Hat security conference today.

Alex Stamos (pictured), Paul Youn, and B.J. Orvis of iSEC Partners said in their talk that it is possible for hackers to penetrate a network of Apple Mac computers and lurk undetected while gathering data. They concluded that there were so many vulnerabilities on the networking level that Mac machines could be considered more vulnerable than Windows machines.

Apple has not yet responded to a request for comment. At Black Hat, there will also be talks about the vulnerabilities of other operating systems, including Windows. In years past, security researchers have blamed Microsoft for producing vulnerable Windows code. And immediately following the Apple talk, security researchers had another talk about hacking Google’s Chrome operating system.

“This is all changing,” Stamos said. “If [recent hacking events] tell us anything, it’s that any computer is vulnerable to attack.”

The iSEC team said they looked at attacks on the Mac and its latest operating system, code-named Lion, or OS X version 10.7, from the perspective of Advanced Persistent Threats, or long-term security break-ins on networks of computers. They showed examples of the vulnerabilities and detailed proof that they had hacked into the operating system.

The category of Advanced Persistent Threats is a hot one because Google discovered that, under Operation Aurora, dozens of companies were compromised over a long period of time. And McAfee reported today that a similar attacked, dubbed Operation Shady RAT, compromised a total of 72 governments and corporations over a five-year period.

A network of Mac computers can be compromised in the usual way, iSEC’s Stamos said. A single user can be tricked out of giving up a username and password through social engineering or targeted “phishing attacks,” or attacks that use a believable ruse to get you to enter your username and password, which is then captured and compromised by the hackers.

Once inside the network, Stamos said that it is easy for the attacker to escalate the privileges he or she has on the network. That is where Apple’s operating system falls down in comparison to Windows. ”Once you have access, you can compromise the networking,” Orvis said. “Network privilege escalation is where it really gets bad on the Mac.”

The security researchers said that Apple has made improvements to security in version 10.7 of OS X, such as putting applications in a “sandbox,” or isolating them so that they can run (or crash) without taking down the rest of the operating system. Still, the researchers said they had figured out a couple of different ways to compromise the security of Macs through a test program dubbed Bonjoof. They said that it’s possible to lurk on a network and cover your tracks so that intelligence can be gathered on a network over time.

“All of Apple’s major authentication protocols suffer” from some kind of weakness, Orvis said.

There are ways to deal with the vulnerabilities, but company security professionals have to know how to use security forensics technology, which can take a long time. In the meantime, attackers can detect the forensics tools and react to their usage in an attempt to hide. The security researchers said they did talk with Apple about the vulnerabilities they found and communicated a number of ideas about how to improve the security of Apple’s computers.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Apple’s Based Networks are More Vulnerable to Attack than Windows (BH 2011)"https://www.voiceofgreyhat.com/2011/08/apples-based-networks-are-more.html</a>