Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome Addresses Threat of Unicode Domain Spoofing

Chrome 58 Resolves Unicode Domain Spoofing

Chrome 58 Resolves Unicode Domain Spoofing

Google on Wednesday released Chrome 58 to the stable channel for Windows, Mac and Linux to address 29 vulnerabilities, including an issue that rendered users vulnerable to Unicode domain phishing.

Demonstrated by web developer Xudong Zheng, the bug resides in the use of Unicode characters in Internet hostnames through Punycode. By using characters that may look the same but are represented differently in Punycode, malicious actors can spoof legitimate websites and use them in phishing attacks.

The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.

Chrome 58 addresses the bug, which Google refers to as an URL spoofing in Omnibox (CVE-2017-5060). Assessed only a Medium severity rating, the vulnerability earned Xudong Zheng a $2000 bounty.

Two other Medium risk URL spoofing in Omnibox flaws were addressed as well: CVE-2017-5061, discovered by Haosheng Wang (awarded $2000), and CVE-2017-5067, credited to Khalil Zhani (awarded $500).

Only 12 of the 29 security fixes in Chrome 28 were for flaws discovered by external researchers: three rated High severity, 8 Medium risk, and one Low severity.

The High risk flaws include a Type confusion in PDFium (CVE-2017-5057), found by Guang Gong of Alpha Team, Qihoo 360 ($3000); a Heap use after free in Print Preview (CVE-2017-5058), discovered by Khalil Zhani ($2000); and a Type confusion in Blink (CVE-2017-5059), credited to SkyLined working with Trend Micro’s Zero Day Initiative.

Advertisement. Scroll to continue reading.

The Medium severity bugs also included a Use after free in Chrome Apps (CVE-2017-5062), a Heap overflow in Skia (CVE-2017-5063), a Use after free in Blink (CVE-2017-5064), Incorrect UI in Blink (CVE-2017-5065), and Incorrect signature handing in Networking (CVE-2017-5066).

The Low severity vulnerability was a Cross-origin bypass in Blink tracked as CVE-2017-5069 and was discovered by Michael Reizelman.

Related: Google Patches Dangerous Vulnerabilities in Chrome 57

Related: Fake Chrome Font Update Attack Distributes Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.