Flash! Firefox No Longer an Automatic Defense Against Browser Drive-Bys

By Larry Seltzer  |  Posted 2008-11-18

Flash! Firefox No Longer an Automatic Defense Against Browser Drive-Bys

The playing field for drive-by exploits through Web browsers appears to be evening these days, thanks to the rise of exploits through third-party controls. The chances of Firefox users being exploited are a lot better than they used to be. This is especially true on Windows Vista.

The latest Microsoft Security Intelligence Report states, and I believe it based on what I've seen on my own and through other vendors, that exploits through third-party controls are the big thing now, saying, "more than 90 percent of vulnerabilities disclosed in 1H08 affected applications, rather than operating systems." Two more interesting and relevant quotes:

  • For browser-based attacks on Windows XP-based machines, Microsoft vulnerabilities accounted for 42 percent of the total. On Windows Vista-based machines, however, the proportion of vulnerabilities attacked in Microsoft software was much smaller, accounting for just 6 percent of the total.
  • Microsoft software accounted for 5 of the top 10 browser-based vulnerabilities attacked on computers running Windows XP in 1H08, compared to zero of the top 10 on computers running Windows Vista.

So Windows and Internet Explorer are a declining factor in the exploitation of users through browsers on XP, and only a very small factor on Vista.

What's filling in the non-Microsoft percentage? Third-party apps, with Adobe Flash as the most important example. There are others, including Acrobat, but Flash exploits, in the form of malicious SWF files, are very common now. Some of them are as simple as redirects to a malicious site that tries to do other things or just to sell you rogue software, but some are full-out buffer overflows in Flash.

It's this latter type of exploit that is especially interesting. As a general rule, a buffer overflow in the Flash ActiveX control for IE should work as well in the Flash plug-in for Firefox. It's all Adobe code being compromised.

It needs to be said here that the most important thing you can do to protect yourself against these attacks is to be aggressive about applying patches for important third-party controls, like Flash and Acrobat. Adobe has gotten much better about bringing out updates and the latest generations of these products also employ mitigations like DEP and ASLR to fight exploitation even if a vulnerability is invoked. As with most other products, the people getting exploited are those running old versions.

I asked a few experts for guidance on this and didn't get as specific an answer as I had wanted. Do such exploits work as well in Firefox? Are Firefox users being exploited through these attacks? I also asked Adobe, which didn't respond.

The experts I talked to agreed that, as a general matter, an exploit for a browser plug-in is as likely to work in one browser as another. In some cases they would work "out of the box." In other cases there may need to be some modifications for each environment.

Researcher Thor Larholm points out that for the case where memory corruption occurs in an image rendering, you may need to calculate heap offsets and partition the memory correctly before triggering the exploit, but it's the same type of work for any browser; in the case of Flash you can do it all in ActionScript. Does anyone do this work, or do they just calculate the IE offsets and hard-code them into the exploit? No answers from anyone; it could be done easily, we just don't know if it is being done.

Other Types of Attacks


Frederick Doyle, director of vulnerability operations at iSight Partners, argues that exploit writers for third-party controls could, on entry, asses their environment, such as the browser and operating system, perhaps even the security context, and proceed based on that information. It's not unlike a lot of JavaScript for Web pages that branches based on the useragent string.

But for many vulnerabilities no accommodations are necessary. Doyle said, "Code developed by iSight Partners Labs that exploited the recent Adobe printf vulnerability successfully triggered in both the IE and FF Adobe plug-ins, as well as Adobe reader and Adobe Acrobat."

It's not exactly the same thing, but I think it's worth mentioning that many social engineering tricks unrelated to vulnerabilities in any program are just as applicable to users of any browser. One popular trick these days is the fake news or some other content site pitched through spam. This example used supposed video of U.S. soldiers fighting in Iran. This one, from the day after the election, supposedly led to election results. In both cases they led to a Trojan horse program.

Often users are told they have to update their Flash viewer or some other viewer program to view the content, and are led to a download for that. Of course they often do carry out the download. Tip: If you want to update Flash, go to the Adobe site to do so.

Another factor that often comes up in these discussions is the difference in user bases for the browsers. IE is the great default, the browser for which any respectable exploit must work, because it has overwhelming market share. The only other browser with noticeable market share is Firefox; you hear numbers up to maybe 20 percent.

We're just stereotyping here, but it makes sense that Firefox users are more likely to be technically sophisticated and appreciative of security concerns. Such users are more likely to update their software religiously, more likely to recognize a scam site when they see it, less likely to fall for a fake error message. But these people push other, less sophisticated users to run Firefox as well; with browser share numbers of 20 percent, clearly there are a lot of novices running Firefox. So perhaps the percentage of users being exploited through third-party controls is larger for IE, but it should be above zero and rising for Firefox.

There are also tools to help Firefox users protect themselves, such as NoScript. I get in fights every time I say this, but I think it's not practical to use NoScript for everyday browsing, especially for a novice. But that's secondary to the main issue. Most Firefox users aren't using NoScript.

With Microsoft and Adobe both doing a better job of fighting vulnerabilities in their own products, it's not surprising, as the Microsoft Security Intelligence Report also finds, that vulnerabilities in software across the industry are declining. This is why social engineering and malware are becoming the real problems. But in the meantime, it makes sense that some of our longstanding biases about product security are not as correct as they might have been at one time.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Rocket Fuel