Computer Emergency Response Team-India (CERT-In) has advised users to update popular browsers Google Chrome and Apple Safari to avoid cyber attacks.
The state-run cybersecurity agency had issued two separate advisories this week marking them ‘High’ in terms of severity. For Apple Safari, CERT-In noted, “multiple vulnerabilities have been reported in Apple Safari which can be exploited by a remote attacker to execute arbitrary code, perform cross-site scripting attacks or cause URL Unicode encoding on a targeted system.”
It added that these vulnerabilities in Apple Safari’s version prior to 13.1.2 are due to various issues such as improper input validation, access restrictions, state management and memory handling.
Meanwhile, the vulnerabilities in Google Chrome could allow remote attackers to execute arbitrary code, bypass security restrictions, access sensitive information, contact spoofing attack and denial of service (DoS) attack on the targeted system, reported The Hindu.
CERT-In added that these vulnerabilities are due to heap buffer overflow, side-channel information leakage, type Confusion, inappropriate implementation in WebRTC, use after free, policy bypass, insufficient policy enforcement, incorrect security user interface and more.
A remote attacker can easily exploit these vulnerabilities in Google Chrome and Apple Safari by persuading a user to visit a specially crafted website.
On July 15, CERT-In had also issued a warning against Microsoft products — Microsoft Windows, Microsoft Office, Extended Security Updates, Developer Tools, Browser, System Center and Open Source Software. The cybersecurity agency added that these vulnerabilities can help attackers perform cross-site scripting (XSS) attacks, elevate privileges, obtain access to sensitive information.
India has been the second most cyber-attacked country between 2016 to 2018, according to a new Data Security Council of India (DSCI) report. But there has been a further increase in cybersecurity breaches due to Covid-19 pandemic and institutions going remote.
Last month, CERT-In warned the users against hackers that can steal their important personal and financial data. The malicious actors are claiming to have 2 Mn individual email addresses and the attack campaign was expected to start on June 21.
“It has been reported that malicious actors are planning a large scale phishing attack campaign against Indian individuals and businesses… The emails are designed to drive recipients towards fake websites where they are deceived into downloading malicious files or entering personal and financial information,” the advisory said.
CERT-In further claimed that the phishing campaign is expected to be designed to impersonate government agencies, departments and trade associations who have been tasked to oversee the disbursement of the government aid. Meanwhile, cybersecurity research firm Cyfirma has also warned that Chinese state-sponsored hacker groups could target Indian businesses and government establishments.