Your PC Is Vulnerable Without Browser Protection

By Larry Seltzer  |  Posted 2007-12-05 Print this article Print

Opinion: E-mail used to be the actual vector for threats to the PC, but now it's the browser. Security software is adjusting

Look back at the security news three or four years ago and you'll see a "worm of the week" phenomenon in action. Malware was spread, and botnets created, through e-mail messages. These e-mail messages had attachments and social engineering that attempted to trick the user into running the attachment. This approach is now comparatively rare, I think mostly because it's no longer all that effective. This is partly because users are more conditioned not to click on attachments, and partly because security software got better at blocking them. Even e-mail programs are smart enough, by default, to block executable attachments most of the time. You still see malicious attachments—the Storm worm used them a lot—but they aren't the main form of attack. For a couple of years now, the threats that infect PCs are not directly mail-borne, but indirectly so. You probably get a lot of spam that includes a Web link and some text attempting to get you to click on it. With many of these, click on the link and the site will attempt to infect you through a variety of vulnerabilities in the browser, Windows, Java, whatever they can do. Finally, if no back door attack is available, they may just try to get you to run an executable.
The other common way malware writers get you to run their programs is to poison search engine results with links to infection pages, often hosted on compromised legitimate Web sites.
With many of the browser vulnerability attacks, conventional PC security software is of no help. At the very least, your system will be compromised until it reboots. Many attacks conducted in this way will be seen by the PC security software when their files hit the file system, but you can't assume that it will, especially since signature-based defense fails fairly often from new variants of the attacks. Larry Seltzer thinks that the real security problem browsers face is people running old versions. Click here to read more. The answer is for security software to take another approach, protecting the browser. Many programs began to do this years ago, incorporating what is generally known as HIPS (Host Intrusion Protection Software). HIPS is designed to work once a program has already slipped through the outer layers of system security and executed. It monitors the execution of the system for suspicious behaviors. Usually they look for any buffer overflow, as these are always wrong and often a sign of an attempt to compromise the system. Windows HIPS systems often look specifically at the browser, and Internet Explorer in particular, because that's where the attacks are. Symantec's Browser Defender technology in the 2008 editions of their Norton Antivirus and Norton Internet Security products are examples of browser HIPS. They look specifically at calls from IE code into ActiveX controls, a common method of attack, as many of these controls have vulnerabilities. Symantec actually wrote a new definition system for these attacks. A better way to protect the browser is the method used by Exploit Prevention Labs, just acquired by AVG Software. Their LinkScanner products monitor network traffic looking for malicious behavior before it executes. The nature of the beast dictates that this is generally HTTP traffic. Where it's best to do so, LinkScanner can block connections at the IP or domain name level, which makes it useful against fast flux networks. But mostly it uses signatures and heuristics to look for the behavior before it gets into the system. The fact that it operates outside the execution environment makes it complementary to HIPS, not necessarily competitive with it. Layering has always been a good approach to security, because no approach is perfect. Grisoft is mostly famous for its very popular free antivirus, but they are a big company in any event, with 60 million active users. Now they have a great tool that can qualitatively improve the security of the Internet experience for their users. The bar has been raised. Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel