Firefox developers have fixed an “evil cursor” problem exploited by fake tech support scammers. Due to this bug, attackers did not allow victims easily leave malicious sites. The vulnerability was fixed in Firefox 79.0.
The “evil cursor” problem was first discovered in Chrome and was described in 2010. Essentially, such attacks are based on the fact that modern browsers allow site owners to change the appearance of the mouse cursor for their visitors. Most often this is used for browser games, as well as AR and VR, but such cursors can be a serious problem.Typically, malicious sites change cursor settings so that the actual click is not in the area where the cursor is displayed on the screen. For example, the attackers create a 256×256 pixel cursor, and while the normal mouse cursor is displayed in the upper left corner of this invisible square to the victim, the click occurs in the lower right corner”, – information security specialists describe “evil cursor”.
As a result, the user tries to click on various interface elements, for example, he wants to close the tab of the fake technical support website, but it does not work, because the user clicks on the completely different area from where the cursor is located.
Chrome devs fixed this issue in their browser last year. However, it took more than six months to fix such a simple problem.
The fact is that custom cursors are allowed in browsers, since they are often used in games, and we simply did not want to prohibit their use. As a result, together with Malwarebytes specialists, we came up with an original solution to the problem”, – say Google engineers.
Then the famous information security expert Jerome Segura illustrated the bug with a nice gif-image.
The ‘evil cursor’ is a simple and yet effective way for tech support scammers to achieve the browser locker effect. Bug report here:
https://t.co/XK63djq6wH pic.twitter.com/zNcSc8ox9G— Jérôme Segura (@jeromesegura) September 14, 2018
.
Now the problem of the “evil cursor” has again touched Firefox. The fact is that in 2018, Mozilla engineers already fought this type of attack and released a patch for their browser.
However, recently, Sophos discovered that attackers found a way to bypass this fix and continued to use malicious cursors on fraudulent sites. According to experts, the attackers deliberately created an infinite loop in the code of their sites to avoid triggering 2018 patch.
As a result, Mozilla has fixed the issue again, and this time the vulnerability is identified as CVE-2020-15654.
We also recently wrote that Mozilla Firefox developers fixed two 0-day vulnerabilities.