Google fixed a handful of issues when it released the latest version of its browser, Chrome 58, on Wednesday, including a vulnerability that could have made it easier for an attacker to carry out a phishing attack with Unicode domains.
The vulnerability, based on Punycode – a way to represent Unicode with foreign characters – has been making headlines since it was disclosed last Friday. Discovered by Chinese researcher Xudong Zheng, the bug relies on tricking Chrome into bringing users to sites that appear legitimate. The sites could then convince victims to enter personal login or financial credentials.
Phishing with Unicode Domains – https://t.co/bn9dMG0L1t
— Xudong Zheng (@Xudong_Zheng) April 14, 2017
Zheng claims he disclosed the bug to Google on January 20 and that it was incorporated into beta builds on March 24, before finally getting fixed on Wednesday.
The bug, considered medium severity, was one of 29 issues Google fixed on Wednesday.
Three of the vulnerabilities were marked critical by Google, including a heap use after free in the browser’s Print Preview feature, and a pair of type confusion bugs – one in PDFium, Google’s open source PDF software library, and another in Blink, Chromium’s rendering engine.
Google paid out $14,000 to researchers for their findings, a relatively modest sum after the company paid out nearly $55,000 in January for bugs in Chrome 56, and $38,000 in March for bugs in Chrome 57.
The update came the same day that Mozilla pushed out a new version of its browser, Firefox 53 and Firefox ESR 52.1.
Mozilla fixed six critical bugs with the update, including a pair of out-of-bounds write vulnerabilities, a pair of use-after-free vulnerabilities, a buffer overflow, and an origin confusion. If exploited, all of the bugs, except for the origin confusion flaw, could have resulted in a potentially exploitable crash. The origin confusion, which stemmed from reloading pages with redirects, could have only led to a cross-site scripting (XSS) attack.
Forty-one vulnerabilities were fixed with the update. Counting the nearly two dozen memory safety bugs fixed in the browser and ESR versions 45.9 and 52.1., 64 vulnerabilities were fixed with the update.
Zheng claims the same URL spoofing vulnerability that existed in Chrome also exists in Firefox, but it appears Mozilla is holding off fixing it for now.
Gervase Markham, a software engineer for the Mozilla Foundation, said earlier this week that Firefox users should turn on the browser’s Safe Browsing feature to help thwart phishing attacks like the one uncovered by Zheng. Markham, who’s also a lead developer of Bugzilla, said that if Mozilla were to start putting restrictions on scripts that happen to look like Latin, such as Cyrillic, it would be “making that script a second-class citizen because not as much can be represented using it.”
Zheng’s research relies on using Unicode characters, which can represent Cyrillic and Greek alphabets, to mimic Latin letters and in turn trick user’s eyes.
“There is no perfect solution to this problem,” Markham wrote on Bugzilla Tuesday, “Human languages are messy, inconsistent, and wonderful. Different scripts have letters which clash with each other. If you don’t want to be attacked this way, buy a domain in a TLD which doesn’t allow it. If your TLD does allow it, lobby your registry. In the mean time, Firefox users have Safe Browsing to protect them from actual phishing attempts, whether they use IDN lookalikes or not.”
Mozilla published a FAQ dubbed “IDN Display Algorithm” in response to the bug which Markham says clearly illustrates the organization’s stance.
“You may not agree with it, but it’s our considered position, so please do not comment further here unless you have new information to add which you genuinely believe has not been considered,” Markham wrote.
Zheng is encouraging Firefox users to limit their exposure to the bug by going to the browser’s about:config settings and setting network.IDN_show_punycode to true. By doing this Firefox will always display IDN domains in its Punycode form, something that should make it easier to identify malicious domains, the researcher claims.