Browser Download Bomb Attack Returned

As reported, Firefox, Opera, Vivaldi and Brave and Chrome are under thread
05 July 2018   1502

The release of the Chrome 67 browser has again opened a security hole that allows attackers to run so-called "downloa bombs" that was fixed in the Chrome 65. According to Bleeping Computer, vulnerabilities are also susceptible to the Firefox, Opera, Vivaldi and Brave.

What is the "download-bombs"?

Attackers use the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to force the browser to load one file at such a rate that the CPU load rises to 100% in 5-10 seconds. As a result, the program interface stops and the user can not close the browser or open another tab:

Download Bomb
Download Bomb

This attack is used by fake support sites that intimidate their victims with reports that data is being stolen from their computer, and to solve the problem it is necessary to report to the specified number.

Who is under threat?

After correcting the error in the version of Chrome 65.0.3325.70, it again appeared in the update on June 12, 2018 under the number 67.0.3396.87. And this time the threat is more serious: according to experts from Malwarebytes, Firefox is also at risk.

In addition, Bleeping Computer tested the proof-of-concept (PoC) code for Chrome and Firefox in other browsers and came to the conclusion that "download-bombs" also work in Vivaldi and Brave. Opera, unlike the others, did not freezed totally after the exploit and even allowed to switch the tab, but the working of PoC-page did not allow the interface to work properly, and the browser had to be closed through the "Task Manager".

According to the results of testing only Microsoft Edge and Internet Explorer were resistant to this attack.

Frontend News Digest 12 - 18.10

Building command line spinners in Node.js, perfect architecure for your next node project and Zero update in this issue Frontend News Digest
18 October 2019   62

Greetings! I hope your week went great! Here's new Frontend news digest.

Another version of a super popular Node.js relaesed, get the info bellow! Also, you will be able learn about Firefox new websocket inspector, WordPress update and watch the video how to built classic layout fast in CSS grid

Guides

  • Build Command-Line Spinners in Node.js

CLI spinners creating will improve your Node.js terminal skills

Articles

  • Improving Form Controls in Microsoft Edge and Chromium 

The Chrome and Edge teams worked together on refreshing form controls in Chromium-based browsers; learn what they have made

  • Firefox’s New WebSocket Inspector

Overview of new Firefox's websocket inspector, which is going to be released in Firefox 71 but availbale only in Firefox Developer Edition at the moment.

  • The Perfect Architecture Flow for Your Next Node Project 

Best practices and architectural tips for your next Node project

  • Coloring Your Terminal Using Nodejs

Article on how coloring libraries like Chalk work under the hood.

Updates

  • WordPress 5.2.4 Release Addresses Several Security Issues

Information about security fixes the news WordPress release

  • Node v12.12.0 (Current)

Another update of the the popular JS RTE with some interesting changes, such as a --force-context-aware flag has been added to prevent addons that aren’t context aware from being loaded, the fs module has added opendir() and fs.Dir as ways to asynchronously iterate through directories and JSON module support has also been made experimental again, due to security concerns in the Web-based implementation of the idea.

  • Zero

A graphics pipeline implemented in JavaScript and rendered to the terminal that can run without GPU required.

Video

Build a Classic Layout FAST in CSS Grid

Podcast

  • Jen Simmons on Browser Features 

Discussion between Jen Simmons, designer advocate at Mozilla and two hosts, Dave Rupert and Chris Coyier. about how new features get shipped to browsers, and how you can get your ideas over to browser makers for consideration.