NB: 80 Million Malicious Chrome Extensions Installed; Qualcomms Snapdragon Chip FlawS Affect Millions of Android Devices; FBI: Hackers Exploiting F5s BIG-IP

These extensions are attractive to end-users because they claim to solve problems such as blocking ads. Unfortunately, they hide their malicious behavior so it may not be evident for a while. Consider using the Chrome Admin Console to manage your enterprise Chrome browsers, including extensions. In general run only needed and verified extensions in your browser to minimize the attack surface and keep security as close to out-of-the box as possible.

Lee Neely

Browser market share statistics are all over the place, but Chrome has something like 60% of the browser market, probably around 2 billion active users. So, only about 4% of active users downloaded any of those extensions. At one point there were close to 200,000 extensions in the Chrome Web Store, so 300 malicious extensions is 0.15% of the total. In April, Google announced new and more restrictive/security-centric rules for developers and gave them a deadline of 27 August to comply. We need to see what progress is made in reducing that percentage in September.

John Pescatore

The purpose of sites like the Google Webstore should be to provide a selection of known good Chrome extensions. Google has repeatedly failed at this task. Researchers regularly find large numbers of malicious extensions. Google has changed the approval process, but it appears all they accomplished is to antagonize the developers of valid extension without solving the problem of malicious or questionable extensions.

Johannes Ullrich

This is a system on a chip (SOC) vulnerability in Qualcomms Digital Signal Processing (DSP) chip used to enhance charging, multimedia, and audio activities. The fix will require updates from the hardware manufacturer. There is no evidence of active exploit at this time. Mitigate risks by controlling physical possession of your device, keeping it updated, and leveraging play protect to install vetted applications. Coincidentally, Samsung has released a number of fixes for critical vulnerabilities; while those fixes do not include the DSP CVEs, you should apply them regardless.

Lee Neely

These flaws could haunt Android users (and manufacturers of devices) for a while. It isnt clear how or even whether they will be patched. Even if they will be patched, the process will take a while.

Johannes Ullrich

If you're having trouble getting your support staff to apply the updates from F5, you may wish to mention this to management, particularly for your internet-facing services.

Lee Neely

his is an outstanding step forward for Ohio. The long disclosure window of 120 days will result in early disclosure by those used to the more common 30-90 day window. One hopes low-hanging fruit issues are identified quickly to enable the state to improve its security posture for the upcoming election.

Lee Neely

120 days is long compared the 30-90 days that commonly accepted responsible vulnerability disclosure recommendations specify, and this does push public disclosure beyond the 2020 election cycle. Realistically, this seems reasonable for the complex and fractured way election systems are developed, procured and run at local levels. At this late point, basic security hygiene (including segmentation and mitigation) needs to be the focus.

John Pescatore

The motivation of "research" should be to improve quality, in this case of a socially and politically sensitive application, not to enhance the reputation, not to say notoriety, of the "researcher." Public shaming may have a place but this is not it. I know of no other field that engages in this destructive competition.

William Hugh Murray

After a ransomware attack, business recovery is complex. Economic impact of the recovery, reputation of the business, and continued customer support, or lack thereof, can make or break you. When your primary customer base, in this case the travel industry, shuts down right after you are back on-line, partnerships and restructuring are needed to survive. For many of us, Travelexs reputation as a known quantity in currency exchange while traveling will help them recover.

Lee Neely

This suggests that current standards of "hygiene" are not sufficient to protect the business from an increasingly hostile public network. Do not bet your business.

William Hugh Murray

The actor was taking advantage of insufficient vetting processes for adding exit relays. While many of the malicious relays have been reported and shut down, as of August 8th, the threat actor still controlled 10% of the Tor exit relays. SSL stripping attacks can be prevented by setting up HSTS preload for your domain; many sites have not done this. Browsers which are not by default marking HTTP traffic insecure may benefit by installing a plugin such as HTTPS Everywhere, which enforces HTTPS use by rewriting headers on the fly.

Lee Neely

Users should be aware that Tor does a better job of hiding the origin of traffic, what it was built for, than it does of protecting the traffic itself.

William Hugh Murray