A new research paper put together by researchers from Google, IBM and CENL (the Computer Engineering and Networks Laboratory) puts some serious weight behind a concept that has become all too familiar to many of us following the world of IT security on a daily basis — that is, that Web browsers have become the primary target for much of the nefarious hacking and malware activity we see.
The report, dubbed “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the insecurity iceberg” (authored by Stefan Frei and Martin May of CENL, along with Thomas DÃ¼bendorfer of Google and Gunter Ollmann of IBM) outlines the continued progression of attacks from the operating system level over to browsing technologies.
Moving to take advantage of holes in browsers themselves, and the many plug-in technologies commonly used astride the applications, “profit-motivated cyber-criminals have rapidly adopted Web browser exploitation as a key vector for malware installation,” the researchers concluded.
Such vulnerabilities in Internet Explorer, Safari, Opera and Firefox have left an overwhelming majority of estimated 640 million or so people using those programs in the crosshairs of such attacks, and there’s no reason to think that the problem won’t continue to proliferate as the technologies become more complex and even more people worldwide begin to use the ubiquitous browsers, the experts maintain.
Among the most popular methods of attack will be drive-bys and infected downloads offered via legitimate Web sites that hackers have been somehow able to subvert, according to the report.
One of the biggest contributors to the problem will be people’s seeming unwillingness to remain vigilant about updating to the latest versions of their browsers.
And while the report doesn’t necessarily demonize users for failing to do so, you have to wonder how practical it really is to expect the average user to update so aggressively.
While many of us will spend the better part of our adult lives sitting at computers, and more specifically keeping our eyes trained on the cyber-crime ecosystem, can we really expect people who do not to constantly remember to go download new software releases?
According to the researchers, “at most 83.3 percent of Firefox users, 65.3 percent of Safari users, 56.1 percent of Opera users and 47.6 percent of Internet Explorer users were using the latest, most secure browser version on any day between January 2007 [and] June 2008.”
The Firefox number is actually quite surprising. The idea that less than 50 percent of the estimated 577 million people using IE are not on current versions really is not. Firefox users tend to be more technically savvy, as many have specifically sought out the browsers for themselves. Most of the people using IE have it installed on their machines by default.
But would you care to use your automobile as much if every time you started it you had to remap your fuel injectors? Would you still start it up and drive it without doing so if it would still get you where you were trying to go anyway?
Now tell me, when was the last time you changed your oil right at 3,000 miles?
The Internet and browsing technologies as we know them are broken from a security standpoint and it remains unclear how and when this problem will ever be remedied.
Auto-update browser features can help, the experts maintain, but another vital tool will be URL filters such as McAfee’s SiteAdvisor and Harvard Law School’s Stopbadware.org interstitials, delivered alongside Google results.
Various search engines, ISPs and technology providers need to do a better job of teaming to identify and share data on poisoned URLs, the report recommended.
Users should also be more frequently warned of the perils of surfing without first considering security risks, the report said, much as food items are marked with information on potential spoilage:
“Given the state of the software industry and the growing threat of exploitable vulnerabilities within all applications (not just Web browsers), we believe that the establishment of a “best before” date for all new software releases could prove an invaluable means to educating the user to patch or “refresh” their software applications. The same “best before” date information could also be leveraged by Internet businesses to help evaluate or mitigate the risk of customers who are using out of date software and are consequently at a higher risk of having been compromised.“
But do you really check the “born on date” on your beer or the “sell by” date on your milk if the said items don’t first smell or taste funny? A mouthful of spoilt milk can be spit in the sink, but once your machine gets owned, isn’t it pretty much always game over?
Maybe we can build computers that emit gas-like scents when they suspect you’re about to hit a nasty site. On second thought, people will probably just assume it’s the person in the next cube over and keep on surfing away.
The paper makes some nice points and helpful suggestions such as the idea of an industry standard method of warning users when they might be going somewhere dangerous online, and perhaps they may indeed aid in solving the aforementioned problems.
But, let’s face it, until someone figures out a way to build better browser, stronger Web sites and to track down the real bad guys and punish them, we as an IT security industry are merely spitting on a raging forest fire.
Hope you updated your browser before reading this.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.