Chrome 58 Resolves Unicode Domain Spoofing
Google on Wednesday released Chrome 58 to the stable channel for Windows, Mac and Linux to address 29 vulnerabilities, including an issue that rendered users vulnerable to Unicode domain phishing.
Demonstrated by web developer Xudong Zheng, the bug resides in the use of Unicode characters in Internet hostnames through Punycode. By using characters that may look the same but are represented differently in Punycode, malicious actors can spoof legitimate websites and use them in phishing attacks.
The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.
Chrome 58 addresses the bug, which Google refers to as an URL spoofing in Omnibox (CVE-2017-5060). Assessed only a Medium severity rating, the vulnerability earned Xudong Zheng a $2000 bounty.
Two other Medium risk URL spoofing in Omnibox flaws were addressed as well: CVE-2017-5061, discovered by Haosheng Wang (awarded $2000), and CVE-2017-5067, credited to Khalil Zhani (awarded $500).
Only 12 of the 29 security fixes in Chrome 28 were for flaws discovered by external researchers: three rated High severity, 8 Medium risk, and one Low severity.
The High risk flaws include a Type confusion in PDFium (CVE-2017-5057), found by Guang Gong of Alpha Team, Qihoo 360 ($3000); a Heap use after free in Print Preview (CVE-2017-5058), discovered by Khalil Zhani ($2000); and a Type confusion in Blink (CVE-2017-5059), credited to SkyLined working with Trend Micro's Zero Day Initiative.
The Medium severity bugs also included a Use after free in Chrome Apps (CVE-2017-5062), a Heap overflow in Skia (CVE-2017-5063), a Use after free in Blink (CVE-2017-5064), Incorrect UI in Blink (CVE-2017-5065), and Incorrect signature handing in Networking (CVE-2017-5066).
The Low severity vulnerability was a Cross-origin bypass in Blink tracked as CVE-2017-5069 and was discovered by Michael Reizelman.