Browser Download Bomb Attack Returned

As reported, Firefox, Opera, Vivaldi and Brave and Chrome are under thread
05 July 2018   581

The release of the Chrome 67 browser has again opened a security hole that allows attackers to run so-called "downloa bombs" that was fixed in the Chrome 65. According to Bleeping Computer, vulnerabilities are also susceptible to the Firefox, Opera, Vivaldi and Brave.

What is the "download-bombs"?

Attackers use the JavaScript Blob method and the window.navigator.msSaveOrOpenBlob function to force the browser to load one file at such a rate that the CPU load rises to 100% in 5-10 seconds. As a result, the program interface stops and the user can not close the browser or open another tab:

Download Bomb
Download Bomb

This attack is used by fake support sites that intimidate their victims with reports that data is being stolen from their computer, and to solve the problem it is necessary to report to the specified number.

Who is under threat?

After correcting the error in the version of Chrome 65.0.3325.70, it again appeared in the update on June 12, 2018 under the number 67.0.3396.87. And this time the threat is more serious: according to experts from Malwarebytes, Firefox is also at risk.

In addition, Bleeping Computer tested the proof-of-concept (PoC) code for Chrome and Firefox in other browsers and came to the conclusion that "download-bombs" also work in Vivaldi and Brave. Opera, unlike the others, did not freezed totally after the exploit and even allowed to switch the tab, but the working of PoC-page did not allow the interface to work properly, and the browser had to be closed through the "Task Manager".

According to the results of testing only Microsoft Edge and Internet Explorer were resistant to this attack.

Ring UI 1.0 Library Released

Learn about new features and improvements of Jet Brains' open source library
28 September 2018   950

JetBrains told about the release of the Ring UI 1.0 library. Updates have affected the support of Babel 7, the finalization of the visual language, customizable CSS properties, and the library home page has moved.

In addition, in the new version, the developers did:

  • most components moved to CSS;
  • "pop-up messages", "tabs" and "buttons-switches" components;
  • the ability to configure the list of browsers in which the application will work, thanks to the support of Babel 7.

Colors from the Ring UI can be used for the harmonious design of their application. To do this, you need to configure PostCSS as follows:

plugins: [
  ...
  require('postcss-custom-properties')({
    preserve: true,
    variables: require('@jetbrains/ring-ui/extract-css-vars')
  })
]

Changes in the visual language look like this:

Ring UI
Ring UI

At the end of July 2018, the company reported that its products would not support legacy license servers. Changes were made to the development environments of versions 2018.2.1 and .NET 2018.3 tools.