Winning the browser security battle
Operation “Aurora”, the sophisticated Chinese cyber attack that hit several dozen companies in December 2009, not only compromised the intellectual property of the companies, but also raised the critical issue of Internet browser security.
The primary enabler of this specific exploit was an unpatched vulnerability in Microsoft Internet Explorer (IE). By taking advantage of this unfixed security hole in the popular Web browser, cyber attackers compromised user’s systems. It happened when a victim was lured into navigating to a malicious web page from a vulnerable Microsoft Windows system, where JavaScript code then exploited the vulnerability. The infected system then contacted remote servers controlled by the attackers, allowing them to view, create, and modify information on the compromised system.
Browser vulnerabilities affect all Web browsers and vendors, and are far from being an exclusive issue for Microsoft. However, since it’s the most commonly used browser, with hundreds of millions of users around the world and the largest market share, IE naturally tends to be a favorite target for cyber attacks. Yet, Apple Safari, Opera or Mozilla Firefox have had their share of security flaws, which, if exploited, could also lead to the same type of attack that we witnessed recently.
In spite of vendors’ constant efforts to release new, higher performance, more secure web browsers – for example, Google recently launched the Chrome browser and Microsoft is currently testing a new Gazelle browser – numerous browser attacks and vulnerabilities continue to be reported. In 2009 alone, over 300 browser vulnerabilities were publicly reported in the CVE (Common Vulnerabilities and Exposure) repository, including several dozen for each vendor.
What makes browser attacks so popular?
The Web browser is one of the most ubiquitous applications used throughout the computing community. Browsers integrate many complex applications such as ActiveX, Cookies, Plug-In, Flash Player, Java, Acrobat Reader and so on, which extend the browsers’ functionality and enable them to host graphics, user-friendly interfaces and all sorts of animations. Many websites require the user to install additional software to enable these features. Alternatively, those bundled programs are commonly enabled in most browsers’ default settings.
Each application, however usable it is, likely contains additional flaws and vulnerabilities in addition to the web browser itself, therefore increasing the total security risks for users. Some of the risky web features include:
ActiveX – Used by Microsoft Internet Explorer on Microsoft Windows systems, ActiveX is a technology that has seen various vulnerabilities and implementation issues. One of the latest ActiveX vulnerabilities was discovered in July 2009 in Microsoft DirectShow Video ActiveX Control. The exploit, through drive-by-attacks, compromised thousands of Web sites, which in turn infected endpoints with malware and exposed companies to potential data leakage.
Java – Java is an object-oriented programming language used to develop active content for Web sites. Many software applications contain security vulnerabilities in their implementation of Java, allowing for arbitrary code execution with the same privileges as the current user.
Plug-ins – Plug-ins are applications that are intended for use in the Web browser. They may contain programming and design flaws, such as cross-domain violations and buffer overflows. Adobe Flash Player is an example of a browser plug-in that has been affected by dozens of vulnerabilities in the past year.
In a browser attack, what hackers typically do is create deceptive Web pages or links that redirect the user to undesired locations that then download malicious software on to the users’ PC. The attacker then exploits the access as if they are the user with full rights, and can steal sensitive or private information, hijack the browsing session or use the original target computer to attack other computers. These exploits can even affect secure websites protected by SSL certificates, such as banks or credit card companies.
So, while many years ago you could get infected typically if you downloaded a bad program or perhaps pirated software from odd web pages, today hackers can inject malware directly into reputable websites, including the news sites users browse every day. This means that just by browsing to a web page, your computer can get infected.
So how do you stay safe?
The best ways to block web browser attacks on the end-point level is by “sandboxing’ the browser. Sandboxing, also called browser virtualization, prevents the browser to affect user data, other applications, or the operating system. t does this by redirecting the Web attacks to a sandbox, where the attempted attack is trapped and cannot access or harm the operating system. In an enterprise environment, to safeguard against Web-based threats it is also highly recommended to complete protection with an IPS system that will detect and block these attacks.
In addition to implementing these protections, Internet users and administrators should regularly patch and update their browser to make sure they are using the latest version. The browser plug-ins and surrounding applications should be patched regularly. For ultimate protection, users should disable built-in browser functionalities and configure security settings so that Java applets, JavaScript and VBScript, ActiveX controls don’t run automatically. This will decrease the risk of attacks through feature vulnerabilities.
After all, just like browser technologies evolve, so do threats and cyber criminals’ activities. As the web browser is your gateway to the Internet, isn’t it worth ensuring you have the right level of protection to stop threats getting through?