惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google Online Security Blog
Google Online Security Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Stack Overflow Blog
Stack Overflow Blog
GbyAI
GbyAI
Microsoft Azure Blog
Microsoft Azure Blog
I
InfoQ
F
Fortinet All Blogs
N
Netflix TechBlog - Medium
Martin Fowler
Martin Fowler
腾讯CDC
C
CERT Recently Published Vulnerability Notes
博客园 - 聂微东
L
LINUX DO - 热门话题
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Microsoft Security Blog
Microsoft Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
WordPress大学
WordPress大学
C
Cisco Blogs
A
Arctic Wolf
Latest news
Latest news
Jina AI
Jina AI
P
Proofpoint News Feed
博客园 - 叶小钗
Vercel News
Vercel News
T
Threat Research - Cisco Blogs
博客园 - 三生石上(FineUI控件)
K
Kaspersky official blog
C
Check Point Blog
H
Heimdal Security Blog
博客园 - Franky
小众软件
小众软件
The Register - Security
The Register - Security
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Google DeepMind News
Google DeepMind News
AWS News Blog
AWS News Blog
The Hacker News
The Hacker News
T
The Exploit Database - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
Project Zero
Project Zero
G
GRAHAM CLULEY
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Scott Helme
Scott Helme
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not Claude's collaboration tools allowed remote code execution AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Your car’s web browser may be on the road to cyber ruin
Thomas Claburn Thomas Claburn · 2025-12-19 · via The Register - Security: Research

Research

Study finds built-in browsers across gadgets often ship years out of date

Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.

Researchers affiliated with the DistriNet Research Unit of KU Leuven in Belgium have found that newly released devices may contain browsers that are several years out of date and include known security bugs.

In a research paper [PDF] presented at the USENIX Symposium on Usable Privacy and Security (SOUPS) 2025 in August, computer scientists Gertjan Franken, Pieter Claeys, Tom Van Goethem, and Lieven Desmet describe how they created a crowdsourced browser evaluation framework called CheckEngine to overcome the challenge of assessing products with closed-source software and firmware.

The framework functions by providing willing study participants with a unique URL that they're asked to enter into the integrated browser in the device being evaluated. During the testing period between February 2024 and February 2025, the boffins received 76 entries representing 53 unique products and 68 unique software versions.

In 24 of the 35 smart TVs and all 5 e-readers submitted for the study, the embedded browsers were at least three years behind current versions available to users of desktop computers. And the situation is similar even for newly released products.

"Our study shows that integrated browsers are updated far less frequently than their standalone counterparts," the authors state in their paper. "Alarmingly, many products already embed outdated browsers at the time of release; in fact, eight products in our sample included a browser that was over three years obsolete when it hit the market."

According to KU Leuven, the study revealed that some device makers don't provide security updates for the browser, even though they advertise free updates.

The researchers cited several case studies that assessed the exploitability of devices with outdated browsers. The Boox Note Air 3 e-ink tablet, released in January 2024, for example, ships with the NeoBrowser, which is based on Chromium 85, released in August 2020.

"Notably, across four software updates, the integrated browser remained unpatched," the researchers said, adding that the company lacked a security reporting channel and that support staff misrepresented the resolution of the problem. As a result, the authors reported the matter to the EU regulatory authorities.

In December 2024, the EU Cyber Resilience Act came into force, initiating a transition period through December 2027, when vendors will be fully obligated to tend to the security of their products. The KU Leuven researchers say that many of the devices tested are not yet compliant.

The authors also looked at gaming applications that include an embedded browser: Steam, Ubisoft Connect, and AMD Adrenalin.

The Steam enrollments submitted through the CheckEngine framework included two browsers based on Chromium 109, from January 2023, and one that used Chromium 126, from June 2024. The researchers said that while they could not reproduce any of the three known vulnerabilities tested, they found that they could spoof the origin of alert boxes in the older versions.

"Here, by exploiting an open redirect – previously discovered for a Steam domain – an attacker could craft a URL that triggers an alert box appearing to originate from a legitimate domain, which is useful for phishing attacks," the researchers said.

Ubisoft Connect's embedded browser, based on Chromium 109, also didn't yield to known vulnerabilities due to a limitation that did not allow the opening of new tabs or windows, but the authors did find the browser came configured with the --no-sandbox flag, which raised the risk of privilege escalation attacks.

With AMD Adrenalin, the KU Leuven researchers reproduced the address bar spoofing vulnerability in its Chromium 112-based browser from April 2023. AMD, they said, acknowledged the issue and was working on a fix at the time they initially presented their findings.

The authors put some of the blame on development frameworks like Electron that bundle browsers with other components.

"We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework," they said in their paper. "This can break dependencies and increase development costs."

But in other cases, they suggest the issue arises from inattention on the part of vendors or a choice not to implement essential security measures.

While they suggest mechanisms like product labels may focus consumer and vendor attention on updating embedded browsers, they conclude that broad voluntary compliance is unlikely and that regulations should compel vendors to take responsibility for the security of the browsers they embed in their products. ®