New browser releases are already on pause – a situation that may be concerning to web security professionals

ANALYSIS Covid-19 has prompted many of us to work online remotely, and vendors are working to ensure the pandemic does not impact the security of our browsers.

The cybersecurity industry has been rocked by the coronavirus, with offices emptying and staff self-isolating. There’s nothing like a crisis for cyber-attackers to profit from, with scams capitalizing on the fear surrounding the respiratory illness now abundant.

FTC and FCC officials have already warned consumers of an explosion in phishing emails – some of which have been masquerading as the World Health Organization.

Typical DevOps pipelines are being disrupted, too, prompting concerns that new vulnerabilities in popular web browsers may not be addressed in a timely fashion.

However, a number of major vendors are prioritizing the security of existing browser versions over the introduction of new features as a strategy for dealing with the crisis.

Adjusting to the change

Google was the earliest to warn that Covid-19 would disrupt the planned timeline for upcoming Chrome releases.

On March 18, the company warned that the coronavirus outbreak has resulted in “adjusted work schedules”, and a change in priorities would mean new Chrome and Chrome OS releases were put on hold.

The tech giant’s developers will now focus their efforts on stability and bugs, with teams set to “prioritize any updates related to security” in Chrome 80.

(Update: following the publication of this article, Google published a revised schedule for Chrome. The next major release, Chrome 81, is due to roll out on April 7).

Microsoft has asked members of staff at its Seattle main campus and in international offices to work from home whenever possible, resulting in similar disruption to its Edge browser development.

When contacted for comment over upcoming releases of the browser, the Redmond tech giant pointed us towards a recent update on channel releases.

On March 20, Microsoft said that the company was following in the Chromium team’s footsteps and would be pausing updates to the stable channel for Microsoft Edge “in light of current global circumstances”.

Microsoft added, however, that security would not be impacted by the Covid-19 outbreak, as security fixes and stability tweaks will still be served over the coming weeks to Microsoft Edge 80 – the latest mainstream version of the browser.

Preview channels – Canary, Dev, and Beta – will continue to update “on their usual schedule”, according to the company.

When it comes to Windows client and server products, Microsoft is also maintaining a focus on security, “pausing all optional non-security releases” in the process.


TLS rollback

Mozilla, the developer of the Firefox browser, published version 74.0 as a mainstream release on March 10.

The release included a patch for several critical vulnerabilities and was intended to disable the insecure TLS 1.0 and TLS 1.1 in order to push webmasters to migrate to the more secure TLS 1.2 and 1.3 protocols.

However, in light of the disruption Covid-19 has caused, Mozilla has rolled back this change for an “undetermined amount of time”.

The decision was made to give government sysadmins time to make the switch and to avoid the risk of throwing up a ‘Secure Connection Failed’ barrier to online government health advice during a global pandemic.

“The cadence will not change as of now but we’re continuing to monitor things,” a Mozilla spokesperson told The Daily Swig.

No problems in the development pipeline are anticipated over at the Tor Project, which is a remote, distributed community in itself. The non-profit released Tor Browser 9.0.7 on March 23, following a set of security fixes on March 18.

“The Tor Project is understanding that individual issues may arise during this time and are supportive of team members, but we are not anticipating any prolonged delays,” a Tor Project spokesperson told us.

It is reassuring that security has not been forgotten in these cases, given the potential chaos unpatched zero-days could cause for users worldwide.

On March 24, Apple released Safari 13.1, including a shift to block third-party cookies by default through an upgrade to the browser’s Intelligent Tracking Prevention (ITP), as well as a ‘Not Secure’ warning for sites using TLS 1.1 and 1.0.

The iPad and iPhone maker has released investor guidance on how Covid-19 will impact financial results, but at present, development pipelines appear to be operating normally.

The Daily Swig has also reached out to Google and Apple with questions, and will update this story once we hear back.


READ MORE Pwn2Own 2020: Live hacking contest goes virtual amid coronavirus pandemic