Google Chrome is ditching its XSS detection tool

By Danny Bradbury

Google is removing a nine-year-old feature in its Chrome web browser, which spotted a common online attack. Don’t worry, though – another, hopefully better, protection measure is on the way.

Introduced in 2010, XSS Auditor is a built-in Chrome function designed to detect cross-site scripting (XSS) vulnerabilities. In an XSS attack, a malicious actor injects their own code onto a legitimate website. They might do that by adding malicious code to a legitimate URL, or by posting content to a site that stores and displays what they’ve posted (persistent XSS).

When someone looks at the code injected by the attacker it executes a command in their browser, which might do anything from stealing the victim’s cookies to trying to infect them with a virus.

Websites should prevent this kind attack by sanitizing user-submitted data, but many don’t.

XSS Auditor tries to detect XSS vulnerabilities while the browser is parsing HTML. It uses a blocklist to identify suspicious characters or HTML tags in request parameters, matching them with content to spot attackers injecting code into a page.

The beef that some developers have is that it doesn’t catch all XSS vulnerabilities in a site. XSS code that the feature doesn’t spot, called bypasses, are common online.

Google’s engineers had already adapted XSS Auditor to filter out troublesome XSS code rather than blocking access altogether, citing “undesirable consequences”, but this clearly wasn’t enough, and now they’re killing it off altogether.

Read more at https://nakedsecurity.sophos.com/2019/07/18/google-chrome-is-ditching-its-xss-detection-tool/

Still not using HTTPS? Firefox is about to shame you

By Danny Bradbury

Two years after promising to report all HTTP-based web pages as insecure, Mozilla is about to deliver. Soon, whenever you visit one of the shrinking number of sites that doesn’t use a security certificate, the Firefox browser will warn you.

Firefox developer Johann Hofmann announced the news this week:

In desktop Firefox 70, we intend to show an icon in the “identity block” (the left hand side of the URL bar which is used to display security / privacy information) that marks all sites served over HTTP (as well as FTP and certificate errors) as insecure.

Firefox 70 will ship in October. The change is an attempt to crack down on sites that don’t secure their communications.

Insecure browsers use the hypertext transfer protocol (HTTP), which sends data in clear text. HTTPS sites are more secure because they use Transport Layer Security (TLS), which establishes an encrypted link between the browser and the Web server before any HTTP requests are sent.

Hofmann explained that this was part of a broader initiative to simplify the security user-interface in Firefox 70.

Firefox began showing the ‘insecure’ icon in January 2017 but limited it to HTTP pages that collected passwords with login forms. It said at the time that it would expand the initiative to cover all HTTP pages.

Read more at https://nakedsecurity.sophos.com/2019/07/18/still-not-using-https-firefox-is-about-to-shame-you/

RDP exposed: the wolves already at your door

By Mark Stockley

For the last two months the infosec world has been waiting to see if and when criminals will successfully exploit CVE-2019-0708, the remote, wormable vulnerability in Microsoft’s RDP (Remote Desktop Protocol), better known as BlueKeep.

The expectation is that sooner or later a BlueKeep exploit will be used to power some self-replicating malware that spreads around the world (and through the networks it penetrates) in a flash, using vulnerable RDP servers.

In other words, everyone is expecting something spectacular, in the worst possible way.

But while companies race to ensure they’re patched, criminals around the world are already abusing RDP successfully every day, in a different, no less devastating but much less spectacular way.

Many of the millions of RDP servers connected to the internet are protected by no more than a username and password, and many of those passwords are bad enough to be guessed, with a little (sometimes very little) persistence.

Correctly guess a password on one of those millions of computers and you’re in to somebody’s network.

It isn’t a new technique, and it sounds almost too simple to work, yet it’s popular enough to support criminal markets selling both stolen RDP credentials and compromised computers. The technique is so successful that the criminals crippling city administrations, hospitals, utilities and enterprises with targeted ransomware attacks, and demanding five- or six-figure ransoms, seem to like nothing more.

Read more at https://nakedsecurity.sophos.com/2019/07/17/rdp-exposed-the-wolves-already-at-your-door/