Web browsers remain a target for security exploits by hackers, even as browser makers keep watch for Web application vulnerabilities. A report from Cenzic as well as the exploitation of Apple Safari, Mozilla Firefox and Microsoft Internet Explorer during the recent Pwn2Own contest at CanSecWest underscore the need to keep bolstering browser security.
Internet Explorer 8 to Apple Safari,
browsers have taken a bit of a public beating the week of March 16. Even as
hackers continue to focus most of their attention on Web applications, exploits
targeting the browser always make juicy tidbits for black hats.
Web Application Security Trends Report,
(PDF) released March 18, the vulnerability
assessment and risk management software company found that there was 7 percent
increase in the number of browser
in the second half of 2008. Microsoft Internet Explorer accounted
for 43 percent of that total, with Mozilla Firefox following closely with 39
percent. Apple Safari and Opera Software's Opera browser accounted for 10 and 8
Then there was the Pwn2Own contest. Hosted by TippingPoint, the annual hacking
event at CanSecWest
this year saw security on IE, Safari and Firefox all go
down for the count.
With all this as a backdrop, it should be noted that browser security in
general is improving, some researchers said. The past few years have seen an
increasing amount of security
built into browsers,
ranging from IE
8's cross-site scripting filter to the sandboxing in Google Chrome, which
Charlie Miller, one of the prize winners at the 2009 Pwn2Own event, said limits
the amount of damage that can be done.
"Most vendors have become [resigned] to the fact that bugs will always
exist," said Miller, an analyst with Independent Security Evaluators.
"That means what is left is making it impossible to exploit the
vulnerabilities and do malicious acts. So sandboxing is another hurdle the bad
guy will have to get through."
Anti-phishing features in the major browsers have also helped make them more
secure. But that can be augmented with whitelisting services, Gartner analyst
John Pescatore said.
"[In addition,] businesses really, really, really need a way to tell if
a human is operating the browser, or is this connection coming from a spider or
botnet client or screen-scraper," Pescatore said. "The browser guys
could work with the Web app server-Microsoft and Apache ... to come up with some
way of the browser declaring 'a local keyboard is operating me' would be a huge
help [in] fighting automated fraud."
Still, efforts to authenticate active code such as IE's Authenticode, wean
users off using cookies to remember user names and passwords, or detect
pass-through attacks such as buffer overflows have not met with broad success,
said Eric Ogren, principal analyst with The Ogren Group. The fundamental
problem is the standard usability versus security argument.
"Browsers have to serve so many needs that their attack surfaces are
exceptionally difficult to secure," Ogren said. "The biggest problem
is that classic security techniques constrain the user experience to the point
where the browser will not be used."