fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Chrome 84 released with important security enhancements

Chrome 84 released with important security enhancements

Chrome 84 released with important security enhancements
Chrome 84 released with important security enhancements

Google has released Chrome 84 today, July 14th, 2020, to the Stable desktop channel, and it includes numerous security enhancements and new APIs for developers.

This massive release does not include many new features but offers increased protection against browser notification scams, mixed-content downloads, and the removal of insecure TLS protocols.

With Chrome 84 now being promoted to the Stable channel, Chrome 85 will soon be promoted to the Beta version, and Chrome 86 will be the Canary version.

Windows, Mac, and Linux desktop users can upgrade to Chrome 84 by going to Settings -> Help -> About Google Chrome. The browser will then automatically check for the new update and install it when available.

TLS 1.0 and 1.1 removed

In a coordinated announcement in 2018, Microsoft, Google, Apple, and Mozilla stated that they were removing support for the TLS 1.0 and 1.1 secure communication protocols beginning in 2020.

Google planned on removing support for these protocols in Chrome 81. However, due to the Coronavirus pandemic, the protocol’s removal was delayed so that users would still be able to access health and government sites that may be using older certificates.

With Chrome 84, Google is now removing TLS 1.0 and 1.1 support.

When visitors access a site utilizing these older certificates, they will be greeted with a full-page interstitial page stating that the “Your connection is not fully secure,” as shown below.

“Your connection is not fully secure” interstitial

Chrome Enterprise customers can enable TLS 1.0 and 1.1 support until January 2021 through the use of the Chrome group policies.

Also read: Top 10 Reliable IT Companies in Singapore

Chrome 84 visually warns of mixed-content downloads

In April 2019, we reported that Google planned to block mixed content downloads, which are files delivered over insecure HTTP connection when they are first initiated from HTTPS websites.

In previous versions of Google Chrome, Google had displayed errors in the console when these types of downloads were initiated.

With this release, Chrome will now display a visual warning when a mixed-content download is initiated that states the file “can’t be downloaded securely.”

Mixed-content download warning

After upgrading to Chrome 84, you can use this BleepingComputer demo page to see the warnings.

Notification prompts blocked on scam sites

Since 2018, BleepingComputer has been reporting [12] about scam sites tricking users into subscribing to browser notifications,

Scam browser notification site

Once a user accepts these browser notification subscriptions, they will be bombarded with spam for adult dating sites, fake giveaways, unwanted chrome extensions, and even malware.

In 2019, scam browser notification prompts increased by 69%, and Google is now making an effort to stop their proliferation.

With Chrome 84, Chrome will display a warning when a scam site has been detecting that abuses browser notifications.

Blocking notification on scam sites

New developer APIs released

Chrome 84 comes with numerous new APIs that allow developers to interact with the operating system to a greater degree or increase performance while browsing.

Raw Clipboard access API

Raw Clipboard Access is a low-level API that allows web applications to correctly copy data to and from native applications that use proprietary file formats.

QuicTransport API

The QuicTransport API will allow web applications to connect to servers using the QUIC low latency and bi-directional transport protocol.

This protocol allows applications to send and receive data in a reliable and unreliable manner using UDP packets.

Its low-latency approach allows developers to create bi-directional tunnels between a web application and a server with increased performance.

Screen Wake Lock API

Chrome 84 introduces a new Screen Wake Lock API that prevents a “device from dimming and locking the screen. This capability enables new experiences that, until now, required a native app.”

38 security vulnerabilities fixed

The Chrome 84 release fixes 38 security vulnerabilities, with the following discovered by external researchers:

RatingCVE IDDescription
CriticalCVE-2020-6510Heap buffer overflow in background fetch. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-07-08
HighCVE-2020-6511Side-channel information leakage in content security policy. Reported by Mikhail Oblozhikhin on 2020-04-24
HighCVE-2020-6512Type Confusion in V8. Reported by nocma, leogan, cheneyxu of WeChat Open Platform Security Team on 2020-05-20
HighCVE-2020-6513Heap buffer overflow in PDFium. Reported by Aleksandar Nikolic of Cisco Talos on 2020-06-04
HighCVE-2020-6514Inappropriate implementation in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2020-04-30
HighCVE-2020-6515Use after free in tab strip. Reported by DDV_UA on 2020-05-14
HighCVE-2020-6516Policy bypass in CORS. Reported by Yongke Wang of Tencent’s Xuanwu Lab (xlab.tencent.com) on 2020-06-08
HighCVE-2020-6517Heap buffer overflow in history. Reported by ZeKai Wu (@hellowuzekai) of Tencent Security Xuanwu Lab on 2020-06-16
MediumCVE-2020-6518Use after free in developer tools. Reported by David Erceg on 2019-07-20
MediumCVE-2020-6519Policy bypass in CSP. Reported by Gal Weizman (@WeizmanGal) of PerimeterX on 2020-03-25
MediumCVE-2020-6520Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-08
MediumCVE-2020-6521Side-channel information leakage in autofill. Reported by Xu Lin (University of Illinois at Chicago), Panagiotis Ilia (University of Illinois at Chicago), Jason Polakis (University of Illinois at Chicago) on 2020-04-27
MediumCVE-2020-6522Inappropriate implementation in external protocol handlers. Reported by Eric Lawrence of Microsoft on 2020-02-13
MediumCVE-2020-6523Out of bounds write in Skia. Reported by Liu Wei and Wu Zekai of Tencent Security Xuanwu Lab on 2020-05-08
MediumCVE-2020-6524Heap buffer overflow in WebAudio. Reported by Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University on 2020-05-12
MediumCVE-2020-6525Heap buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2020-06-05
LowCVE-2020-6526Inappropriate implementation in iframe sandbox. Reported by Jonathan Kingston on 2020-04-24
LowCVE-2020-6527Insufficient policy enforcement in CSP. Reported by Zhong Zhaochen of andsecurity.cn on 2019-08-10
LowCVE-2020-6528Incorrect security UI in basic auth. Reported by Rayyan Bijoora on 2020-03-22
LowCVE-2020-6529Inappropriate implementation in WebRTC. Reported by kaustubhvats7 on 2019-06-26
LowCVE-2020-6530Out of bounds memory access in developer tools. Reported by myvyang on 2019-10-21
LowCVE-2020-6531Side-channel information leakage in scroll to text. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-01-17
LowCVE-2020-6533Type Confusion in V8. Reported by Avihay Cohen @ SeraphicAlgorithms on 2020-04-11
LowCVE-2020-6534Heap buffer overflow in WebRTC. Reported by Anonymous on 2020-04-20
LowCVE-2020-6535Insufficient data validation in WebUI. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2020-04-22
LowCVE-2020-6536Incorrect security UI in PWAs. Reported by Zhiyang Zeng of Tencent security platform department on 2020-05-09

Also read: 9 Policies For Security Procedures Examples

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us