Shining the Light on the Security of Customized Browsers Used in China
When I traveled in China last time, I was quite surprised that the landscape of the software installed on Chinese PCs is quite different than what people have in the west, it looks like a different world. Usually, you will find a "central" tool that manages all the things for users, such as installing additional applications, installing security updates for the OS and applications. IMO all the things on the computer are "customized", a typical example is the browsers. People don't use the original Internet Explorer or Google Chrome, instead, they use the customized IE or Chrome, which is basically the IE/Chrome core plus a customized UI and additional features.
Here and here are 2 studies on the statistics about the customized browsers used in China.
As we know, building a secure browser is not an easy work, in fact, it's probably one of the most tough work in the security world (if you don't agree, try to find how many vulnerabilities have been patched in IE and Chrome). Thus, I was interested in how they can handle the security in their customized browsers. Some days ago, I decided to download the browsers and take a look, not surprised, a serious problem was identified in just few minutes.
The example I used is the Qihoo 360 Secure Browser, I found it's integrating a quite old Flash Player (specifically, the version is 11.6.602.180, about 2 years old). Even worse, the Flash plugin is running outside of a Sandbox. Following figure will show you the details.
What does this mean? Well, the most obvious scenario is that bad guys can use (any) previous (within 2 years) Flash exploits to attack the browser and gain the same privilege as the current user. You may have heard that Flash is really bad on security, you get it right. There are quite a lot of Flash working exploits out there for use to attack an outdated Flash Player.
I've made a video here demonstrating that an old Flash exploit (CVE-2015-0311) can still work perfectly on the latest (prior to my report) browser.
I have almost no words to say how bad it is. Think about it, hundreds of millions* are under the risk, while the attackers don't even need a zero-day to perform the attack - they can simply use a previous Flash exploit to take control of hundreds of millions of computers.
I've identified this problem on the Qihoo 360 Secure Browser as well as the Baidu Browser. I reported my finding to their product security teams immediately after my finding considering the seriousness of this issue, they took the issue very quickly and have already mitigated the issue within few days. For 360 Secure Browser, users are recommended to update their browser to 7.1.1.580.
Please note that this post is released with the pure purpose** of raising the awareness of this security problem in Chinese customized browsers. The theory is simple: if I could have found this security problem in minutes, it's highly likely that this problem has been well known by bad guys already. Moreover, the author hopes to inspire more whitehats to join the party to help secure all the Chinese software, most of these software are used by hundreds of millions but (unfortunately) their security are still at a pretty low level comparing to the software from international giants (e.g. Google, Microsoft). The author believes that Chinese computer users deserve the same security as others around the globe.
[Update on October 1, 2015]
As of October 1, 2015, The 360 Secure Browser is still running outdated Flash (specifically, 18.0.0.209) out of the Sandbox, see following figure. Basically it means that an old exploit (e.g. this one http://malware.dontneedcoffee.com/2015/08/cve-2015-flash-player-up-to-1800209-and.html) can be used to pwn any PC running the 360 Secure Browser easily. They seem to have fixed this (up-to-date Flash, running in the Sandbox) after I reported in April, but now rolled back, pretty bad idea from security point of view.
[Update on October 8, 2015]
After the Oct-1st update, researcher "mj0011" of Qihoo 360, has reached me about the Oct-1st finding on behalf of the vendor. They claimed that:
The browser could load 2 types of Flash runtimes when handling Flash contents: it will first detect if the computer's hardware supports WebGL, if it does, the browser will load the "pepperflash" - a Chrome-supported Flash runtime running inside the Chrome Sandbox. As the pepperflash runs inside a Sandbox, even the version is a little outdated, the impact of an exploitation could be mitigated.
On the other side, if the computer's hardware does not support WebGL, it then loads the NPAPI Flash, which runs outside a Sandbox. Unfortunately, due to compatibility issues of the newest Flash Players, they had to integrate the outdated Flash version. This is the situation I saw in the Oct-1st update.
While the outdated NPAPI Flash does introduce a immediate security risk, since most of the computers support WebGL - the pepperflash will be loaded instead of the NPAPI Flash, the overall security impact of the Oct-1st finding is limited.
Thanks,
Haifei
* According to http://se.360.cn, the 360 Secure Browser has a 400-million user base.
** Future explanations of this post, such as trying to embarrass any vendor, are not welcomed.
When I traveled in China last time, I was quite surprised that the landscape of the software installed on Chinese PCs is quite different than what people have in the west, it looks like a different world. Usually, you will find a "central" tool that manages all the things for users, such as installing additional applications, installing security updates for the OS and applications. IMO all the things on the computer are "customized", a typical example is the browsers. People don't use the original Internet Explorer or Google Chrome, instead, they use the customized IE or Chrome, which is basically the IE/Chrome core plus a customized UI and additional features.
Here and here are 2 studies on the statistics about the customized browsers used in China.
As we know, building a secure browser is not an easy work, in fact, it's probably one of the most tough work in the security world (if you don't agree, try to find how many vulnerabilities have been patched in IE and Chrome). Thus, I was interested in how they can handle the security in their customized browsers. Some days ago, I decided to download the browsers and take a look, not surprised, a serious problem was identified in just few minutes.
The example I used is the Qihoo 360 Secure Browser, I found it's integrating a quite old Flash Player (specifically, the version is 11.6.602.180, about 2 years old). Even worse, the Flash plugin is running outside of a Sandbox. Following figure will show you the details.
What does this mean? Well, the most obvious scenario is that bad guys can use (any) previous (within 2 years) Flash exploits to attack the browser and gain the same privilege as the current user. You may have heard that Flash is really bad on security, you get it right. There are quite a lot of Flash working exploits out there for use to attack an outdated Flash Player.
I've made a video here demonstrating that an old Flash exploit (CVE-2015-0311) can still work perfectly on the latest (prior to my report) browser.
I have almost no words to say how bad it is. Think about it, hundreds of millions* are under the risk, while the attackers don't even need a zero-day to perform the attack - they can simply use a previous Flash exploit to take control of hundreds of millions of computers.
I've identified this problem on the Qihoo 360 Secure Browser as well as the Baidu Browser. I reported my finding to their product security teams immediately after my finding considering the seriousness of this issue, they took the issue very quickly and have already mitigated the issue within few days. For 360 Secure Browser, users are recommended to update their browser to 7.1.1.580.
Please note that this post is released with the pure purpose** of raising the awareness of this security problem in Chinese customized browsers. The theory is simple: if I could have found this security problem in minutes, it's highly likely that this problem has been well known by bad guys already. Moreover, the author hopes to inspire more whitehats to join the party to help secure all the Chinese software, most of these software are used by hundreds of millions but (unfortunately) their security are still at a pretty low level comparing to the software from international giants (e.g. Google, Microsoft). The author believes that Chinese computer users deserve the same security as others around the globe.
[Update on October 1, 2015]
As of October 1, 2015, The 360 Secure Browser is still running outdated Flash (specifically, 18.0.0.209) out of the Sandbox, see following figure. Basically it means that an old exploit (e.g. this one http://malware.dontneedcoffee.com/2015/08/cve-2015-flash-player-up-to-1800209-and.html) can be used to pwn any PC running the 360 Secure Browser easily. They seem to have fixed this (up-to-date Flash, running in the Sandbox) after I reported in April, but now rolled back, pretty bad idea from security point of view.
[Update on October 8, 2015]
After the Oct-1st update, researcher "mj0011" of Qihoo 360, has reached me about the Oct-1st finding on behalf of the vendor. They claimed that:
The browser could load 2 types of Flash runtimes when handling Flash contents: it will first detect if the computer's hardware supports WebGL, if it does, the browser will load the "pepperflash" - a Chrome-supported Flash runtime running inside the Chrome Sandbox. As the pepperflash runs inside a Sandbox, even the version is a little outdated, the impact of an exploitation could be mitigated.
On the other side, if the computer's hardware does not support WebGL, it then loads the NPAPI Flash, which runs outside a Sandbox. Unfortunately, due to compatibility issues of the newest Flash Players, they had to integrate the outdated Flash version. This is the situation I saw in the Oct-1st update.
While the outdated NPAPI Flash does introduce a immediate security risk, since most of the computers support WebGL - the pepperflash will be loaded instead of the NPAPI Flash, the overall security impact of the Oct-1st finding is limited.
Haifei
* According to http://se.360.cn, the 360 Secure Browser has a 400-million user base.
** Future explanations of this post, such as trying to embarrass any vendor, are not welcomed.
BEST SEO Company in Uttarakhand.
ReplyDeleteBEST Digital Marketing Service Uttarakhand.
BEST SEO Freelancer in Uttarakhand.
BEST PPC Services in Uttarakhand.
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download Now
Delete>>>>> Download Full
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download LINK
>>>>> Download Now
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download Full
>>>>> Download LINK NG
Thanks for sharing, nice post! Post really provice useful information!
ReplyDeleteHương Lâm chuyên cung cấp bán máy photocopy và dịch vụ cho thuê máy photocopy giá rẻ, uy tín TP.HCM với dòng máy photocopy toshiba và dòng máy photocopy ricoh uy tín, giá rẻ.
This article is out of the roof. Wow! Wonderful. Great Post!
ReplyDeletehttps://www.aarinkaur.com/
https://www.aarinkaur.com/Contact-Mumbai-Escorts-Aarin.html
https://www.aarinkaur.com/Mumbai-Escorts-Rate-Card.html
https://www.aarinkaur.com/Mumbai-Escorts-Location.html
https://www.aarinkaur.com/Mumbai-Escorts-Location.html
How wonderful blog. I'm delighted to read your article. Photo Editing Guide
ReplyDeleteWeb Image Editing
Neck Joint Service
Cut Out Background
Image Editing
Clipping Path
Masking Help
Photoshop Editing
Neck Joint Tutorial
Photography Help
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download Now
ReplyDelete>>>>> Download Full
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download LINK
>>>>> Download Now
Haifei'S Random Thoughts: Integrating Outdated Flash Is A Bad Idea, Even Worse Running It Without A Sandbox >>>>> Download Full
>>>>> Download LINK KY
There are a lot of stages where an organization can employ independent Bootstrap engineer or different kinds of IT trained professional. Here are the best locales to search for a lesser front end designer independent. This is perhaps of the biggest independent stage on the planet. It isn't centered around programming improvement, so there are a wide range of experts here. In any case, there is a colossal ability pool from everywhere the world. The typical front end designer pay each hour changes a ton as anybody can set their rates. Here you can make some work posting and experts will apply to make it happen.
ReplyDeleteConsultants have surveys and tributes on their profiles, which is an or more. This stage is great for long haul participation. It centers around programming improvement and chooses the best ability with an all encompassing reviewing process. So every one of the engineers highlighted have demonstrated their ability and abilities>> hire freelance frontend developer
A local oilseed farmer discovered a naked best sex dolls at a construction site in Chengdu and wrote in a letter that the doll belonged to a worker.
ReplyDeleteThis blog post on writing a request for proposal is a comprehensive guide for anyone looking to secure services or products from vendors. It breaks down the process step by step, providing valuable tips and insights to ensure a successful outcome. A must-read for anyone involved in the procurement process.
ReplyDeleteThanks for sharing this amazing blog! I was facing a similar issue on my computer and was really stuck, unable to do anything, including my assignments. I even had to get help from an assignment website to complete my work. But after reading your blog, I've finally found a solution, and my problem is solved.
ReplyDelete