Targeting browsers

August 7, 2009

More than 50 vulnerabilities were patched in Apple's June 9 update of its Safari browser 4.0 – some of them more than three years old. On that same day, Microsoft's Patch Tuesday included fixes for eight Internet Explorer (IE) vulnerabilities, a record for one month, including one that impacts Microsoft's latest version, IE 8. Not to be left out, the popular Mozilla browser recorded 99 vulnerabilities in 2008, the highest number on record for a single browser, according to Symantec's latest Internet Security Threat Report.

“The browser is where the sensitive information is when users are shopping and banking online,” says Mickey Boodai (left), CEO of Trusteer, a vendor of software to protect against financial malware attacks. “Inside the browser is the perfect place for criminals to be.”

For a second year in a row, web-based attacks remain the leading route for cyber profiteers, according to the Symantec report. Malicious sites, pop-ups, ad links, search engine links and other interfaces on the web are targeting browsers and their many plug-in components with clickjackers, rootkits, botware, session injections and other malicious payloads.

Organizations are looking at web filtering, vulnerability assessment, even data leakage protection (DLP) to help protect their enterprises and customers from browser-based attacks. But the market is disjointed, with solutions that address only one or two of dozens of browser-related security issues —most of which aren't ready for centralized management from a single console.

“There is no silver bullet,” says David O'Berry (right), director of information technology systems and services at the South Carolina Department of Probation, Parole and Pardon Services, and also chair of the security subcommittee for the state's IT Solutions Committee. “We've tried requiring what browsers to use, whitelisting where users can go to on the internet, and putting web filtering in the network – all while using plug-in tools.”

Additional layers of browser security were most recently included in his organization's next generation Advanced Mobility Platform (AMP-NG), a home-grown system tying together commercial and internal applications in new securely imaged HP laptop replacements that began rolling out in June to the department's 720 users, half of whom work away from the central office.

New web security features in systems under O'Berry's control include the monitoring of outbound data through the browser using a DLP tool, as well as system rollback, which can be used to return systems to a pre-infected state should malware manage to get past all these layers and install on the computer.

Take stock
Impact and assessment are the best launch points for a browser protection plan, suggests Andy Hayter, anti-malcode program manager at ICSA Labs, an independent division of Verizon Business that sets standards for information security products.

From a deployment and costs perspective, it may be simplest to just disable internet access if it's not needed for employees to do their jobs. Or if they must have internet access, organizations may want to block execution of JavaScript or use the NoScript plug-in on Mozilla browsers.

Both of these are impractical solutions in all but the most secure organizations where money and medical data transfer is involved. However, in most cases, browsers are needed for business to operate. So it's important to assess and approve the type of browsers and plug-ins allowed, O'Berry says.

His organization narrowed down approved browsers to Firefox, which is preferred, and IE, which is required to access some necessary sites. O'Berry also considered blocking trouble-prone types of web application frameworks from accessing the browser, but couldn't because of their ubiquity.

“Even the HTML standard was not built with security in mind, so the standard itself would have to be modified to facilitate secure web browsing,” says Josh Abraham (left), security consultant at Rapid7, a vulnerability management company.
 
Know the enemy
Since most exploits take advantage of known vulnerabilities, it is essential to include browsers and their plug-ins in vulnerability and patch management workflow, says Abraham.

However, repairs are not always available. Furthermore, the time is shrinking between when vulnerabilities are discovered and when they're “weaponized,” adds Paul Royal, principal researcher with Purewire, an Atlanta-based web security company. As such, browsers are being used as vehicles to drag other malware  deeper into the computer, says Royal.

But in some cases, the browser is the only thing the criminal is after, adds Abraham. “If you want to access a system, then you use a browser-based exploit to get deeper into the network,” he says. “If all you want is access to an app, then hijacking a browser session to get user credentials is good enough.”

Abraham is referring to what is called cross-site request forgery (XSRF), used to get in the middle of a secure browser session between a user and, say, his bank. Also known as session hijacking, it can occur on the fly if a user happens to be banking online with an open browser to another site that is malicious and sees into the other browser session, taking advantage.

“Our customers are most worried about the download of active code to take advantage of a browser's shared states,” says Dick Mackey Jr., vice president of consulting for Sudbury, Mass.-based SystemExperts, a security consultancy.

In response to web-based threats such as these, ING Direct is offering its online customers a free browser plug-in by Trusteer. This is used to monitor customers' open sessions for page redirects, sudden changes in transactions and other policy-based violations.

“We primarily run into problems with customers that have HTML injection malware on their PCs that looks like a frame of our website, but which is actually a site in China,” says Rob Weaver, head of IT security and privacy at Delaware-based ING Direct.

All of this occurs seamlessly without the user's knowledge, which leaves out a large part of the browser security story: the user. ING handles that with separate educational outreach in the form of phishing and pharming alerts to its clients about browser security settings, patches and updates.

One way some of this education is being automated is through the use of web filtering tools. Using whitelists, blacklists, heuristics and other techniques, these filtering tools determine if a site is malicious and then alerts the user before the page is allowed to download. Filtering tools also need to be applied to phones with browsers, says Patrick Walsh, CTO of eSoft, a Broomfield, Colo.-based vendor that provides email and web security.
As organizations plan their protections, the most important thing to remember is that the browser has grown from a simple application to an unwieldy framework that must be reigned in, say experts.

“The browser is an execution platform for plug-ins, extensions, engines and more,” adds Mackey. “The more capability you put in the browser, the more vulnerable it is. All the dangerous vulnerabilities in browsers center on the browser doing what it was intended to – execute code.”

prestitial ad