CVE-2017-15426:Insufficient policy enforcement in Omnibox in Google Chrome allowed domain spoofing via IDN homographs.

splash
Back

Description Preview

A vulnerability was discovered in Google Chrome's Omnibox (address bar) that could allow attackers to perform domain spoofing attacks using IDN homographs. IDN (Internationalized Domain Name) homographs are characters from different scripts that look visually similar to Latin characters, which can be used to create domain names that appear identical to legitimate domains but actually direct users to malicious websites. This vulnerability (CVE-2017-15426) affected Google Chrome versions prior to 63.0.3239.84 and could be exploited by remote attackers to deceive users into believing they were visiting legitimate websites.

Overview

This vulnerability (CWE-20: Improper Input Validation) exists in the Omnibox component of Google Chrome, which is responsible for displaying and validating URLs. The issue stems from insufficient policy enforcement when handling Internationalized Domain Names (IDNs). An attacker could register a domain using characters from non-Latin scripts that visually resemble legitimate domain names. For example, using Cyrillic characters that look like Latin letters to create "paypal.com" but with some characters replaced by visually similar non-Latin characters. When users visit these spoofed domains, the browser would display what appears to be the legitimate domain in the address bar, potentially leading to phishing attacks, credential theft, or malware distribution.

Remediation

To address this vulnerability, users and administrators should:

  1. Update Google Chrome to version 63.0.3239.84 or later, which contains the fix for this vulnerability.
  2. For enterprise environments, ensure that automatic updates are enabled or deploy the updated version through your organization's software management system.
  3. Consider implementing additional security measures such as:
    • Using password managers that verify the actual domain (not just visual appearance)
    • Enabling two-factor authentication on sensitive accounts
    • Training users to verify website authenticity through multiple means, not just the URL appearance
  4. System administrators should consider implementing DNS filtering or web proxies that can detect and block access to known phishing domains.

References

  1. Chrome Release Blog announcement: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
  2. Chrome Bug Tracker: https://crbug.com/756735
  3. Red Hat Security Advisory: https://access.redhat.com/errata/RHSA-2017:3401
  4. Debian Security Advisory: https://www.debian.org/security/2017/dsa-4064
  5. Gentoo Linux Security Advisory: https://security.gentoo.org/glsa/201801-03

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing: Medium
    Manufacturing
  2. Health Care & Social Assistance: Medium
    Health Care & Social Assistance
  3. Public Administration: Medium
    Public Administration
  4. Educational Services: Medium
    Educational Services
  5. Transportation & Warehousing: Low
    Transportation & Warehousing
  6. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Retail Trade: Low
    Retail Trade
  9. Information: Low
    Information
  10. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  11. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  12. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  13. Utilities: Low
    Utilities
  14. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  15. Mining: Low
    Mining
  16. Wholesale Trade: Low
    Wholesale Trade
  17. Accommodation & Food Services: Low
    Accommodation & Food Services
  18. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  19. Construction: Low
    Construction
  20. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background