Page 1 of 1

Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 4:17 pm
by Pishraft
look at this links:

https://www.engadget.com/2017/04/17/goo ... code-flaw/

https://arstechnica.com/security/2017/0 ... -you-want/

Google said the problem has been corrected in version 58
You can quickly prepare new version?

Re: Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 6:05 pm
by oftentired
I am not saying by this reply that Slimjet should not act on this exploit. But, really this is a never ending story. There is always another chapter to it.

We cannot trust any email/browser to be safe. The nasty people are always finding new ways to exploit the nice people. We cannot rely on any email/browser to be safe. A person needs to click safely by not clicking without looking first at the address, the underlying imbedded address not the obviously shown address.

So I'm saying the ultimate fix lay with the user. So for phishing.

I don't click imbedded links without looking at them first. In emails especially, if at all possible, I don't click the links. I go to the addresses from another route. For example I may get a billing from my power company. I don't click the email to go to their website. I use my own favorite I've created or just type it in manually.

If I've read the links correctly the chrome fix is in ver 59 which is in beta and not yet released. If a fix is brought into play in Slimjet I'm thinking it would be to change the address bar so that it reveals the actual punycode address while waiting on the 59 release.

Re: Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 6:36 pm
by Pishraft
oftentired this problem is different
you see real URL bot it's not real !
for example if you open this URL you see аррӏе.com in address Bar:

https://www.xn--80ak6aa92e.com/

but it's not аррӏе.com !

they can make hyperlink like thies:

https://www.apple.com/

and your eyes can't recognise it's not real

Re: Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 7:17 pm
by Pishraft
It's fake:
https://www.apple.com/

It's real:
https://www.apple.com/

do you see any difference?

Re: Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 8:39 pm
by oftentired
really i got it

my reply stands as written; read it again

Re: Chromium under versions 58 have a huge security problem

Posted: Thu May 18, 2017 10:08 pm
by dev
whack this in or half dozen other extensions that are on the store till slimjet release ver 58 which the flaw is debugged in https://chrome.google.com/webstore/deta ... imhkmdcjne
Here's another one that people should be wary off but as oftentired says its the user themselves that need to be more careful as these exploits come everyday and chrome being the market leader in browsers nowadays its the one that gets targeted first https://www.ghacks.net/2017/05/18/you-s ... right-now/

Re: Chromium under versions 58 have a huge security problem

Posted: Fri May 19, 2017 6:17 am
by paul1149
Pishraft wrote:It's fake:
https://www.apple.com/

It's real:
https://www.apple.com/

do you see any difference?
When I hover over the links, yes, I see a difference in the status bar, which always displays the underlying link, not the link's name.

What oftentired says is correct. Of course vulnerabilities should be patched ASAP, but safe surfing is first and foremost a user function.
___

dev, it's unclear to me which password would automatically would be sent to the remote SMB server in that exploit. I always disable automatic downloads, though, because I want the opportunity to rename the file before it saves.

BW

Re: Chromium under versions 58 have a huge security problem

Posted: Fri May 19, 2017 1:06 pm
by Pishraft
paul1149
Thanks for your comment
Are you sure your browser is slimjet?
i see in both status bar apple.com
Here is screenshot:

http://i.imgur.com/sFK5GVs.png

Re: Chromium under versions 58 have a huge security problem

Posted: Fri May 19, 2017 10:27 pm
by paul1149
My apologies, Pishraft. In Slimjet ( 14.0.9.0 (based on Chromium 57.0.2987.98 (64-bit)))
the true url is not shown in the status bar, as you say. Indeed, I was viewing this thread from Vivaldi, which I now use much of the time. There, the true url is revealed in the status bar. Thank you for the correction. This is indeed a vulnerability. Vivaldi 1.9.818 uses the Chrome/58.0.3029.82 engine.