While fear is often considered a great motivator, SC Congress New York keynote speakers Angelo Prado, product security director and Xiaoran Wang, senior product security engineer, both from Salesforce.com, used demonstrations and code displays to reveal just how vulnerable modern browsers are to attacks.
In the final keynote address of the event, Prado and Wang demonstrated a variety of attacks, as well as explaining how a user can verify that a link is valid. They also explained why some browsers make it impossible to confirm the validity of some links.
Prado demonstrated how common characters in a URL address might not be what they appear to be. Attackers can use non-alphanumeric characters, such as Cyrillic character that displays on computer screens as the letter “a” or a character that appears to be a period but is not. Sometimes, he said, that Japanese katakana character that looks similar to a forward slash with a little bend in it or the mathematical division slash, which appears as a “∕” but uses a different Unicode than the forward slash “/” generally used in URLs, can be used by an attacker to change what looks like a valid URL into one that directs to a malicious page.
While patches for vulnerabilities in applications such as Adobe Flash have become commonplace, Wang says, modern Web code designed to replace Flash has unpatched vulnerabilities. Wang demonstrated potential attack vectors using HTML5, the latest version of the web language designed to enable developers to take advantage of a variety of advanced web capabilities without running afoul with the security challenges in Flash.
A feature in HTML5 called Download Attribute allows a user to download a file directly from a link without first going to the page where the file exists, he said. A clever attacker can create an attribute to links directly to a malicious file that can run in the background even while the user downloads the image they expect to see.
Some common user activities, such as dragging and dropping an image from a web page into a document on the desktop can launch hidden, malicious code, Wang said. He showed how dragging a cute, kitten image from a web page can launch a hidden application designed to steal user credentials. But the user need not just drop the file onto a desktop; they also can launch an attack by dragging a malicious file from a web site onto a cloud-based drive.
The presentations also displayed issues with cross script filter bypasses, so-called Ghost Malware, and a variety of other approaches popular amongst cyber criminals. Even games can be attack vectors, Prado said. Even browser bugs that have existing patches still are vulnerable because not all users — corporate or consumer — take the time to update their software.