Report: The Dark Side of Phishing Protection

The transition to the cloud, poor password hygiene and the evolution in webpage technologies have all enabled the rise in phishing attacks. But despite sincere efforts by security stakeholders to mitigate them - through email protection, firewall rules and employee education - phishing attacks are still a very risky attack vector. A new report by LayerX explores the state of

Update Chrome Browser Now: 4th Zero-Day Exploit Discovered in May 2024

Google on Thursday rolled out fixes to address a high-severity security flaw in its Chrome browser that it said has been exploited in the wild. Assigned the CVE identifier CVE-2024-5274, the vulnerability relates to a type confusion bug in the V8 JavaScript and WebAssembly engine. It was reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of

New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation

Google on Monday shipped emergency fixes to address a new zero-day flaw in the Chrome web browser that has come under active exploitation in the wild. The high-severity vulnerability, tracked as CVE-2024-4761, is an out-of-bounds write bug impacting the V8 JavaScript and WebAssembly engine. It was reported anonymously on May 9, 2024. Out-of-bounds write bugs could be typically

The 2024 Browser Security Report Uncovers How Every Web Session Could be a Security Minefield

With the browser becoming the most prevalent workspace in the enterprise, it is also turning into a popular attack vector for cyber attackers. From account takeovers to malicious extensions to phishing attacks, the browser is a means for stealing sensitive data and accessing organizational systems. Security leaders who are planning their security architecture

Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability

Google on Thursday released security updates to address a zero-day flaw in Chrome that it said has been actively exploited in the wild. Tracked as CVE-2024-4671, the high-severity vulnerability has been described as a case of use-after-free in the Visuals component. It was reported by an anonymous researcher on May 7, 2024. Use-after-free bugs, which arise when a program

New Guide Explains How to Eliminate the Risk of Shadow SaaS and Protect Corporate Data

SaaS applications are dominating the corporate landscape. Their increased use enables organizations to push the boundaries of technology and business. At the same time, these applications also pose a new security risk that security leaders need to address, since the existing security stack does not enable complete control or comprehensive monitoring of their usage.

Google Postpones Third-Party Cookie Deprecation Amid U.K. Regulatory Scrutiny

Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it's working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the

New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth

A new information stealer has been found leveraging Lua bytecode for added stealth and sophistication, findings from McAfee Labs reveal. The cybersecurity firm has assessed it to be a variant of a known malware called RedLine Stealer owing to the fact that the command-and-control (C2) server IP address has been previously identified as associated with the malware. RedLine Stealer,&nbsp

Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said. "By binding authentication sessions to the

Google to Delete Billions of Browsing Records in 'Incognito Mode' Privacy Lawsuit Settlement

Google has agreed to purge billions of data records reflecting users' browsing activities to settle a class action lawsuit that claimed the search giant tracked them without their knowledge or consent in its Chrome browser. The class action, filed in 2020, alleged the company misled users by tracking their internet browsing activity who thought that it remained private when using the "

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio

New "GoFetch" Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys

A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations. Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data

Google Introduces Enhanced Real-Time URL Protection for Chrome Users

Google on Thursday announced an enhanced version of Safe Browsing to provide real-time, privacy-preserving URL protection and safeguard users from visiting potentially malicious sites. “The Standard protection mode for Chrome on desktop and iOS will check sites against Google’s server-side list of known bad sites in real-time,” Google’s Jonathan Li and Jasika Bawa said. “If we

Guide: On-Prem is Dead. Have You Adjusted Your Web DLP Plan?

As the shift of IT infrastructure to cloud-based solutions celebrates its 10-year anniversary, it becomes clear that traditional on-premises approaches to data security are becoming obsolete. Rather than protecting the endpoint, DLP solutions need to refocus their efforts to where corporate data resides - in the browser. A new guide by LayerX titled "On-Prem is Dead. Have You Adjusted Your Web

FTC Slams Avast with $16.5 Million Fine for Selling Users' Browsing Data

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users' browsing data to advertisers after claiming its products would block online tracking. In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was

NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers

Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. The ZIP file contains

Zero-Day Alert: Update Chrome Now to Fix New Actively Exploited Vulnerability

Google on Tuesday released updates to fix four security issues in its Chrome browser, including an actively exploited zero-day flaw. The issue, tracked as CVE-2024-0519, concerns an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, which can be weaponized by threat actors to trigger a crash. <!-- adsense --> "By reading out-of-bounds memory, an attacker might be able to

Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows

Cybersecurity researchers have disclosed a now-patched security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called&nbsp;My Flow&nbsp;that

The Definitive Enterprise Browser Buyer's Guide

Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore,

Google Settles $5 Billion Privacy Lawsuit Over Tracking Users in 'Incognito Mode'

Google has agreed to settle a lawsuit&nbsp;filed in June 2020&nbsp;that alleged that the company misled users by tracking their surfing activity who thought that their internet use remained private when using the “incognito” or “private” mode on web browsers. The&nbsp;class-action lawsuit&nbsp;sought at least $5 billion in damages. The settlement terms were not disclosed. The plaintiffs had

Urgent: New Chrome Zero-Day Vulnerability Exploited in the Wild - Update ASAP

Google has rolled out security updates for the Chrome web browser to address a high-severity zero-day flaw that it said has been exploited in the wild. The vulnerability, assigned the CVE identifier&nbsp;CVE-2023-7024, has been described as a&nbsp;heap-based buffer overflow bug&nbsp;in the WebRTC framework that could be exploited to result in program crashes or arbitrary code execution. Clément

New Malvertising Campaign Distributing PikaBot Disguised as Popular Software

The malware loader known as PikaBot is being distributed as part of a&nbsp;malvertising&nbsp;campaign&nbsp;targeting users searching for legitimate software like AnyDesk. "PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577," Malwarebytes' Jérôme Segura&nbsp;said. The malware family,

Google's New Tracking Protection in Chrome Blocks Third-Party Cookies

Google on Thursday announced that it will start testing a new feature called "Tracking Protection" beginning January 4, 2024, to 1% of Chrome users as part of its efforts to&nbsp;deprecate third-party cookies&nbsp;in the web browser. The setting is designed to limit "cross-site tracking by restricting website access to third-party cookies by default," Anthony Chavez, vice president of Privacy

New Report: Unveiling the Threat of Malicious Browser Extensions

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like

Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability

Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as&nbsp;CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. Benoît Sevens and Clément Lecigne of Google's Threat Analysis Group (TAG) have

Randstorm Exploit: Bitcoin Wallets Created b/w 2011-2015 Vulnerable to Hacking

Bitcoin wallets created between 2011 and 2015 are susceptible to a new kind of exploit called Randstorm that makes it possible to recover passwords and gain unauthorized access to a multitude of wallets spanning several blockchain platforms. "Randstorm() is a term we coined to describe a collection of bugs, design decisions, and API changes that, when brought in contact with each other, combine