|
|
|
From Microsoft Internet Explorer 8 to Mozilla Firefox, Web Browsers Tighten Security
By: Brian Prince
2009-03-21
Article Rating:  / 11
There are 4 user comments on this Network Security & Hardware story.
Web browsers remain a target for security exploits by hackers, even as browser makers keep watch for Web application vulnerabilities. A report from Cenzic as well as the exploitation of Apple Safari, Mozilla Firefox and Microsoft Internet Explorer during the recent Pwn2Own contest at CanSecWest underscore the need to keep bolstering browser security.From Microsoft's Internet Explorer 8 to Apple Safari, popular Internet
browsers have taken a bit of a public beating the week of March 16. Even as
hackers continue to focus most of their attention on Web applications, exploits
targeting the browser always make juicy tidbits for black hats.
In Cenzic's
Web Application Security Trends Report, (PDF) released March 18, the vulnerability
assessment and risk management software company found that there was 7 percent
increase in the number of browser
vulnerabilities in the second half of 2008. Microsoft Internet Explorer accounted
for 43 percent of that total, with Mozilla Firefox following closely with 39
percent. Apple Safari and Opera Software's Opera browser accounted for 10 and 8
percent, respectively.
Then there was the Pwn2Own contest. Hosted by TippingPoint, the annual hacking
event at CanSecWest this year saw security on IE, Safari and Firefox all go
down for the count.
With all this as a backdrop, it should be noted that browser security in
general is improving, some researchers said. The past few years have seen an
increasing amount of security
built into browsers, ranging from IE
8's cross-site scripting filter to the sandboxing in Google Chrome, which
Charlie Miller, one of the prize winners at the 2009 Pwn2Own event, said limits
the amount of damage that can be done.
"Most vendors have become [resigned] to the fact that bugs will always
exist," said Miller, an analyst with Independent Security Evaluators.
"That means what is left is making it impossible to exploit the
vulnerabilities and do malicious acts. So sandboxing is another hurdle the bad
guy will have to get through."
Anti-phishing features in the major browsers have also helped make them more
secure. But that can be augmented with whitelisting services, Gartner analyst
John Pescatore said.
"[In addition,] businesses really, really, really need a way to tell if
a human is operating the browser, or is this connection coming from a spider or
botnet client or screen-scraper," Pescatore said. "The browser guys
could work with the Web app serverMicrosoft and Apache to come up with some
way of the browser declaring 'a local keyboard is operating me' would be a huge
help [in] fighting automated fraud."
Still, efforts to authenticate active code such as IE's Authenticode, wean
users off using cookies to remember user names and passwords, or detect
pass-through attacks such as buffer overflows have not met with broad success,
said Eric Ogren, principal analyst with The Ogren Group. The fundamental
problem is the standard usability versus security argument.
"Browsers have to serve so many needs that their attack surfaces are
exceptionally difficult to secure," Ogren said. "The biggest problem
is that classic security techniques constrain the user experience to the point
where the browser will not be used."
|
|
�������xv㶲 ;^+(}LR/ٖm[ޖ;ҢHHbL$e[K?gK3~U�xӅ|8g����BP(�~ ogOD\ݴ�9w͙M5>5J�`OS;S
�1F㠮5Y�=+[�}D}�F�6�\�3��fb
^�Qk$Ё_Mܦ�%y}L�DRNϊ�mzO|��ַ0>t@T|�� p'DFþ�=a�'E%�k4ً�ᐨqG/�ad�wy4�;U'iS[�7Sա*v�25v+n
�/�@Z��#\DȁY\nh�=Tݑm:���{ �-�Xd�UZL�wb�6S!1kk�Tը>lYG|ݑ|YCXw:Qt���A3Mu��֟CԿ($fҀ��8QK�jkF=Ķ|h�G'�)tq�r�_սYoׁn܌� �ϑjQҋZN-ZjZAS� T�$0yY>E�4dEU��au;L-^m^:AN,��SAT4
行Ġ�K`W+�2Zt\�_?]r\/;]rҹ"ǭV�I;��i
Of�ɷV�~��'^=z��'6�l
M��u�ô|WVK5IͽGbsr"�tx>"9I�G|;&:흟��Cz�J�ݖEL_ȻH]�KŗG)H7�3ǚ��-md±�(|Ǻ�r�N�9~}EjV㭱J+Ҙ&
�)B�:A`�̺玀�R�$9�Vϡ�8ȟ4�R\� 9lbs�vf�y�M)I�K2_VJ�-ɿE7h+dԌ�ө$ɛ!"Gn�9x��|!XsI��((�G���NlO}ٹ!jYY6'*daeIUiS[dhE�ށ:It:&E[nC�T��364>P�,H�!eݴ%�g榣V)b1x+%Y��E*�X8ʍ�??6m!SG�ñA�S&M:gvY0`���;}B_�Oi&8!9~��tD�AG66^�zK
tcl���>#ä �p�V8;�tCuәa �{>�0���kBi=D�%��h��-DCwM0Ieg!�@uK�LΝ݀2&C?�FtE@�>X^0��G`^@8)pp�yY?�0��g>�o��߽5�#z[-[�X6x�G͙A R�N\Q�@Ǣ�dQJ
ds���4.'P(AH �9k���� \��99�
�ŊQ^KH�X-�VpD�JM'8ܑWKR�X�){T�Kh+�K@f:34YIJM힟
X�*ȉ#�m"0�9X����
-'Z
X�k%漭�Z)m�2*�CȕJV��Ȋ*/kL�|�Ca3#ϖ�̠_#&(=2齅d�'�*4+d�pPs'�<`t�=
�Xհݙ2||��Ij[igܗS�i
���|kV� S�pć��9E#rQϚX� %<�.�ƲB"5w�C���ʚJJ*$,4�?gaE8F2�b5i%ӻnR/|K؝P48%'1N`�sW|��]Ө5mOdi[%�ͺ�E[�9(ۥi]hk%�T�?���![r5}a6�F]��RZRKPDl�Pc/X�+e�zdy�M2�&Z�Oе`�5s;o\Pe_M�}dҶbF�oՒh�Mb1vn�� �ʸ�5MVRQy9�:zG�Ѓ`�=r=�]?����<�w�ļZB_vAkMtg
�&rI)jy�#l��q-Z
;tm۽�szN8t�1D-g���@?�a�Po5�>� ��T�#!EX+LDBYah�[s�6/Kg>f}4~�B+�p��&�L>Bkf�w`lrC#J�REu�x.(J9A�w)` N� 2|h�<|�CP�&,�t�\$�����@0 !�P��TQ-W0.#Ƃ_L��_LU1(TO"n»hC��{
X]>(D��~Ê?DJRcK=.C+DÜU^oV��w�$JPVbtx�C+jrPT+
8;|%ZAg~~Ȼ(
�I�J
�d��1j}}G�{ѷzpE57^_>��^R3;�|b2,`�� |��,yd�ȗaE*�ㅴ�ZPQ"+�ȣ�Y �V� W�MU��~t�V87V=�<�@?
v�#lh�x�R
�`�j@$��p�LM{2jJvg
`�\7~,p$���HsA-~Ȯ¿bRXE�G�?voqiM)D�kp�?F]S؇Qgm/ RU�*~iu^�ߜmpHA��`��
Нv;#ؐCKA;fVS8�o t렀6RaMxތ�9"zeaހWIl��J�hL�뷖h�]�-Qm(}�gˣ�"CW5��dDfaN'�¥� ek&�;�[�* <�Wk*�ktݿy��j�9z{⇺q3e�-&sC�dKc0ާ'� ��Yn�:AjAyI�h;W.�-^ir0NxT!�"�kq�0n|�#8wDA$ۭ>�\�tc5'y��]SK�n�:R.��R
R=cx�Se}{c2�6woUUNSF<:H�3$ߐ@hOXM�] ?k7Ṩf�vmv뿌UcxP�R��aƭbR/g� ?�+:T�f#DU�}d5Oӑ�?>�n!�VɕFZV/&�IC{EY(,.>&CUX)TԒ�/IXᐋqAɂ]A�Ӏ)x9L�5�Lfl�'�`�P(c&Z�TW"6)wD<�7ϰ�;b�}Nb���4PG���}ʴWՄθ�ā�1O?f�-$ڎ�Vum4eP�$5gMٸU
V|�2*ijAROsGF:(8=.�]EQh2)nQ==յћYӀ �G�(w}}�Nr@*�5�]�*; s�s4a!`��Xޫ=bxEO��P?l]�Z.+B�vA�*�s>P�|��o
-"Ԅ֟; +�~7?l)ɁH�HD�>DQkF\{e"��nxB*�gF�Dssb^f.^*o�����[�/I]S�0:;_��c3ax��-$�Yԕºp>ƶO:�=y>LЫ{;~xmڝ}:(�rj8E��jizR���-�}Uj_�OJ���-�?\u>]�K�?�tȾYMw $(��X�����O"y|ܾ ]whgg^�py- 8@W�;^\9o^}h_/~�u:W��9k_dcxΥx\�{�RbG!pUV*<��f�Sڌ6�N
,#�Z[=8�0s�)��f@ t[WX0z!ӱB�ZMUc |
ʢl��k�wV@lb%%hҫoeW!����Cp0S�`0#>9ͫ|1}~XU*�۽L���H1s
��ذq�;eΫ� Pf|�v�v�,N�͗>W}1lyTѵl�s2M �c.`���p;G�R��r0x&�4�lywy#�x�~4qj\[�9S
Zt
�gcBxa1~h�rpC.:=<뵮HK�09l~%HDRonu�k�5y�ՅO>O�4H�\/O9!-[�wۭݷؓ�̆Oݿ�vI]iNw�7-HUz�xB�P>?F$c:� I"�I^U֩UdU)I�]YD㣑)?8�G�xL_�oꇥ�wD/MZ4��2�UCn�?�u�k=Ǭ
,Gi��p8|#؈fχGɎ?7e{cA�|3
e�\1Kp/WϦ7�߂C�!Cs�h3�[aG0^
<�"�t�(u��߂Kd[:�F�,
yu2V)�a.z_n:?ٿz9+ֻQ^t0>aٖʀI�ɱn(⹃1a7=�{,`D�ӰG}:�X-G!rtvY�JG
T$�P�.RUjr��;R.9b#Y}(e\]k�Ƥ/?+A@{x�/pv�is�,G�SW�@:7bG��<'�Q�&Ł�(3��E=9l�z�l�`ȧc\Bwؖ�ᙋÙeF\1&�(���@�Ǿ8�d Eq#R<7V(eӰ{p(j@[na��(ו ����hD1Q�Y쿓8��n�xM �,O$B%�D��`�#Gكҷqdy§��"$��:K2h`R�Խzr�qՄ@�瘰[�n8Nymi첎G�/̈�x;Gl+J@VD;m̂<�n�%�'&9xXiJ�隒%W}ޮ8둸"��D* �L0ɍJՂZ<͞%Ӛn� _MxE}
�R
:�jgKJoiYC��y�aԗuzA�"OQiPZ�qa*�(kj_~vu�Ox9:1�M7�͛�=J�yjS!%8`@�mM_z��~t^ъZr')�F-�~PŶ�bR�eO�
)gl/;hڙRGPs�ƬtbT(K4%MB,Kh�I=$@{KRASUY]~ށ)���eFB ����x!y#�IdT"�/j]��x<,jo'�3hS{[>ȍO�2(P#��AxD#��x#��IG"h1U[�7QR~jÂC9CD�/뱇$UZX Ķٰ)�6ExSg)"zdc0D3"|N+:f3\;.g[�k\NxdCAkkkk'xr^X^=<_X~�Z�?K�p>`&�9q@Aܩ���S\*ť�+)��#:'�<,���@�J�W�kB6Jűv,�O�!i>SMUXnY4E|J�3" 8e7I$Q.ʁ5J7gsB*_܆%�n)k6̷��'[�pwkK|ךeo�[88B`R|gA8Mؠ҆P�v`�1Z
ar�ޤ0O*kZ]C���GE��%�.,.�' )tllHYaΎHb1.2֗c�P�P؝q(3A��Ԓ,C�*���
�[UߐT/M*pǥ&v^&zPzȍ
*mH�\5͉X~ߥV Us��q��r4�wb}R��T^C�~t�� U �/yaDmvT_fz�EUysDDWjWZ��VZ-(ݮm�
VBg+Q?|_�d"2biP��_Kf��KR��qsh0~MKb��(|)@b�M@"��^+��f2Hfr�
[��o�Z���5�`�:-�!�&����&�/|�#NN~���NuZo1Xt�3_'x#\Z:h:�!H=�b0�$AԼj&؈�c6�}c5�KDHx9)�S&%kg=u&��
85�}h0͋.�F>0;�E���-#����xGtMk~kc`${��1}ISD�/n�_~5sGF�mlPi*��J:��$��Z'=�UvN.EvGnRJx%Mܲ6VF�]-^/~��ue\5Eԝ\�W{ɜw/߂s<_͜qD
D6w�B(;5=6[7oǴNHvj}m(kk3"{A�-�[�o�f6௶aulau^,^�'/yt
�ȪhֲƑ=:qoRY,]�eeGbr{,ɱu3Ň=
�� ƗY'$��[IHg�s;#}f",N�kV\5P2aD�Ko�pK@$` =@/\.ޮb�A�pn]|@Q|eҞ_FS��W-A�/*`5m{;�pO��fC*X,�S&Lm ~��0�Ŕ�l�opOts��xתqs�+)fF<��F�L�-�j=!vC` fK� }�+n'-;3x"(fUj"p?uf{=��h
7p�K�$:ƒ-T�,�C���@mj|)5,\�9\πJ*j�A4�`]"lR$�|r3{I�ZA)a4Cy^�Iw~ՓGV5U*uGVp=Kp�J4vJ[#�$'}^pYģ�=Hm7bdF+iFwCˠOW1hc�>F��P#�S�C7��,6M$Ae�5T?�0Խ'
)ﵪ ��5��owUi_D8AnIedy6
��*C:#o;I c
O�r�t�F7�e\S[�O8���@��`mļϴ@B�Sx!
&�؛Xi�̥7d{@\;r
8�r,�-D|tz['U}�H?Km1@h�b#3�!�F��♐�0\G��zhE{ZW]
dw<;Cym!���y;&� ����c�3«�I<�R�dY�»<;p�1v��{��\nX\h��:�L8!�in�ǫRS
�ƈn_d�À�3�{cQŰDĤ c�
4Q�?�eMNZ�sx�XҚ�m�!�a�\Ϣ"6n#BLk8�3DD#^r�{4bwڜNdq�d`08�a|/��#@[7d �6C��;b<1C|>O�c �x"˗�H�UL
]N"�@��� '
����?B5ODu�*%n67P�F��0��]�����F�"O
x�}2=�wcܕeZ�5H<�
0Y�Y:ovN���+'��@=PgA~N\b�@Ԕ0�(V�IB�q�XR~DB(�s�
k�$c
3ú~:�_F�`����3�W�VjE)OBӾR:C�KDU8�|.OlY,f/c�\iB�R.
��?$-G쌆=xɾxk�u0 }a3BeT79&]h^^}!'+$'W�~:�]/{�9lu��oė[uss}Ѻj_X�F�j%A\㴽}k3ʡ}Q�ogc7(�_֗����s�?�9?ς�=9<�?0�}g9y�}"^d3(?ӌ@?2ϡ<�"c~/.2�"c:NF; :��!_.>.3�x
*~0n0n{@���ק��埳a|3�9�P~U�{AuF@�ugK\8=R��fr�z)A^d_�~*%IFy
3YY�zvAeX^f\512eߗdnldھ<�'�R+��]Q%>5-{�[I�2}ח�
c|U(X2M*{>#(48%Y}MNJ�4tk 7b[y�DYAI{R}tE�OI>t�qLw<-cENj).~QxdB$8VɴFV�!���Ԯ7'%YØܻ�Gzn(�s�ҷe&m�3?��n`bG~@' @8N_Ew9�[MAw/[`\$V*Ӿd$ӣ6eW~vۗ3����e�-"6G�4
(P"#q} !1ap�S$FU^0�:X5�m$�$���&b3@�gQlVxRB-)K`RJ��z+L9(ن��xG*(u��[BI<ŷ`�-<�>,"���7ϒeքzLT zZ���v,0%^z'Oޒ{ƾ(� ;C����Am{';*lٹs˜0L1Д8ڶ2COA#t
+�e[b ��O"�C24A��nخ;O�q^G��3>Ƌ�rx{Ko�^bkSsD%:Ɛ�9-���)0�p,\f�tG��6�A�|�eK��x7[죗�iOHJ��D O.y*hl'`��wDl
.3��*/]F
hWa!*e;6K((Xp^GAt=nS�w6E}�2\�P�G�x
ky�f�ŧ�+o[t%(�5x2[v�6
l��~HDZ�Q���Ķ`�:�Vږ*�o|]OK�
]'[٧3�й?-{�W/���e[���]p�,�{ �QFb�f]s�hՆG���0ޏq7�P�l@��xS
bz
��G�m;q�r2M�9���QmS-ন-]?X71Ȟ|uu
۲|ږa=t�k��s�`CΜ6�U �
�=[=�܋;}C\��:1F`묞
lI12��,�$8jVI�;;a0��&iE-㨤t`C
v�_ʉ~ph[?�҈Y>A� wVǰ�YF!Ƨ7�'T�S*�4.>ϭn/]2�xDh^"�@xKplw6�k+�Ѐ7H>Y[PE"�1ԝhI|ԃ!�gnh�k݄��6L���]9,M��clR�c9z?�γ`=�dZ>�]x�
��gW�P
X�-~�/
�d'kI���G�
)�}�ɦb�nԌaBfb�v��L$g�8%�S^��|�,/�A,LTT��/D4;NB}aE�t1GtFW3.r�W���bMd�rZ�k'oY�I'4g_yH%L=Sw=
AFk+O�(QF2p_Q|9\`֍�^z
|
Network Security & Hardware 
