jerome segura
jerome segura

Microsoft's Internet Explorer has been the entry point into users' systems for years.

Shipping as the operating system's default browser, it has had a long history of security vulnerabilities leveraged in drive-by download attacks.

But things are changing. Indeed, IE's market share has declined drastically and Microsoft's latest operating system now has baked-in software updates and a new browser, Edge. In the meantime, exploit kit maintainers are struggling to come up with fresh and working exploits that will guarantee high infection rates.

It is inevitable for the most popular browser, Google Chrome, to now be heavily targeted. Although a very secure browser with sandboxing, auto-updates, the Safe Browsing API, just to name a few of its features, its overall security also depends on the human behind the keyboard as well as third party code running as browser extensions.

Security researchers at Proofpoint recently discovered an interesting attack that perfectly illustrates malware authors' increased focus on Chrome. A campaign known as EITest that normally redirect users to exploit kits is filtering for Chrome users and sending them to compromised websites, but not to infect them directly with a drive-by download. Instead, a clever piece of code changes the appearance of the page to make it look like it requires a special font to display properly. The font available for download is nothing but malware.

To extend its functionalities, Chrome supports browser extensions and the Web Store is the official place where one can download a variety of extensions ranging from utilities to games. While extensions are very powerful and useful applications, they can also contain security vulnerabilities, be privacy invading, or even outright malicious.

Just recently, Tavis Ormandy, a vulnerability researcher at Google, demonstrated how a flaw in an extension for the Webex communication software could be used to run arbitrary code. It is not far-fetched to foresee real world attacks using extensions as a springboard to automatically infect machines.

Truly malicious extensions are typically installed via social engineering users with a simple lure (free game, optimizer) but we are also witnessing more and more forced installations. Those are driven via malvertising that pushes fraudulent warnings, forces the browser into full-screen mode, until the user finally accepts to install the extension.

For these reasons, Chrome (and Chromebook for that matter) users will see an increase in attacks targeting them both via social engineering but also security flaws in third party code as malware authors cannot simply rely on an aging browser that will eventually be decommissioned.