Issues, Workarounds & Localization

Forum Index

EVE Forums » EVE Technology and Research Center » Issues, Workarounds & Localization » Ingame Browser - Security issues

Topic is locked indefinitely.

Ingame Browser - Security issues
Author

Previous Topic Next Topic

xarjin

Galactic Deep Space Industries

Brave Collective

Likes received: 86

#21 - 2013-05-25 18:54:58 UTC | Edited by: xarjin

Bumping because this really needs to be addressed by the dev's given that antivirus vendors have started flagging ccp's IGB exe file as a security risk.

https://forums.eveonline.com/default.aspx?g=posts&t=239089

also this should serve as an eye opening concern. The denial of service exploit previously used as an example is far less of an issue that remote code execution exploits. Since the IGB runs in it's own process anyine usng IGB that potentially visits a malicious website is vulnerable to remotely having their computer hyjacked by a trojan.

http://msisac.cisecurity.org/advisories/2013/2013-053.cfm

MS-ISAC ADVISORY NUMBER:
2013-053

DATE(S) ISSUED:
05/21/2013

SUBJECT:
Multiple Google Chrome Vulnerabilities Could Allow for Remote Code Execution
OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome that could allow remote code execution, bypass of security restrictions, or cause denial-of-service conditions. Google Chrome is a web browser used to access the Internet. Details are not currently available that depict accurate attack scenarios, but it is believed that some of the vulnerabilities can be exploited if a user visits, or is redirected to a specially crafted web page.

Successful exploitation of these vulnerabilities may result in either an attacker gaining the same privileges as the logged on user, or gaining session authentication credentials. Depending on the privileges associated with the user, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

Google Chrome for Windows, Mac and Linux versions prior to 27.0.1453.93

RISK:

Government:

Large and medium government entities: High
Small government entities: High

Businesses:

Large and medium business entities: High
Small business entities: High

Home users: High

1,203
GreenSeed Likes received: 1,203	#22 - 2013-05-25 19:55:56 UTC Enta Ozuwara wrote: People on Reddit were asking for some sort of proof. Since a Remote Code Execution would need to be carefully planned, I have instead run a DoS exploit fixed in Chrome 4.1. Result: Awesomium.exe crashes oh god no! it crashed! my 401k!

xarjin

Galactic Deep Space Industries

Brave Collective

Likes received: 86

#23 - 2013-05-25 22:51:37 UTC | Edited by: xarjin

GreenSeed wrote:

Enta Ozuwara wrote:

People on Reddit were asking for some sort of proof. Since a Remote Code Execution would need to be carefully planned, I have instead run a DoS exploit fixed in Chrome 4.1.

Result: Awesomium.exe crashes

oh god no! it crashed!

my 401k!

that denial of service exploit is really only one low severity example. anyone capable of malicious intent could create a custom website with remote execution code that uploads trojans causing untold potential damage to computers and the owners of those computers. If that browser crash uploaded a keylogger you may not be amused in a week.

Unknowingly becoming a victim of identity theft or having a backdoor trojan uploaded to your computer as a result of browsing a website with the IGB has real consequences.This scenario is the real risk and primary reason the IGB desperately needs an update.

Previous page12