Endpoint
7/12/2013
02:06 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Browser Plug-In Vulns The Endpoint's Weakest Link

Online infections, exploit kit damage wreaked due to poor browser plug-in hygiene

Despite all of the attention given to zero-day attacks and system vulnerabilities, the typical exploit assaulting enterprise endpoints actually looks for a much easier attack vector to launch attacks. In more cases than not, the application used to access the Web is also the one most online attackers will target. That's because most attackers and online exploit kit designers realize that the common browser is usually an endpoint's weakest link. Not only are enterprises generally slow to keep up with browser patching, they're downright sluggish at updating plug-ins and extensions.

"Enterprises tend to have reasonable control over patching at the OS and browser level, but ask the average CISO for a report on browser plug-ins installed in the organization, and they won't know where to begin," says Michael Sutton, vice president of security research for cloud security vendor Zscaler. "Attackers know this all too well."

According to Sutton, his team's research has found that plug-ins for Adobe Reader, Adobe Flash, and Oracle Java tend to be the top targets for browser exploit kits today, a claim that dozens of other security researchers will vouch for. According to the most recent Cisco 2013 Annual Security Report, Java exploits accounted for 87 percent of all Web exploits. And anecdotal evidence in the news daily bolsters the proof of plug-in dangers.

[Are you building enough layers in your endpoint security strategy? See Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.]

Take, for example, news of the latest exploit kit making the rounds: Styx. First blown open by Krebs on Security earlier in the week, Styx is being offered for license for $3,000. Current research shows that Styx depends on just four vulnerabilities to do its dirty work, and three of those are Java exploits.

Attackers don't really need to go through the expense of discovering zero-days when they can have a field day exploiting the old browser vulnerabilities sitting unpatched on most endpoints today. According to the most recent Symantec Internet Security Threat Report 2013, though the rate of discovery of Web vulnerabilities increased by only 6 percent last year, the rate of attacks from compromised websites went up by 30 percent.

According to Patrick Thomas, security consultant for Neohapsis, the two- to three-month patch cycle that most organizations have developed for endpoint environments is simply not fast enough to keep up with exploit kits developed to take advantage of browser and plug-in vulnerabilities. Enterprises have to adapt their practices to account for this Achilles' heel in the endpoint ecosystem.

"Don't fear the auto-update -- these aren't the dark ages anymore. Modern browsers have the ability to self-update; require it to be enabled," Thomas says. "Include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management. Finally, include browser extensions and plug-ins in patching strategy."

Organizations that truly want to reduce their risks should consider more drastic measures, including completely uninstalling the most widely attacked plug-ins.

"I'd suggest that, unless you have a pressing need for a business application that requires Java, uninstall it completely from any Windows computer you use," says Andrew Brandt, director of threat research at Solera Networks, a Blue Coat company. "Even though these attacks spawn a pop-up message from Java asking for permission to execute the malicious JAR, in many cases it's too hard to tell from which browser window the pop-ups originate."

Similarly, organizations could limit how scripts run within browsers. For example, using something like Firefox's No-Script plug-in could limit the browser's attack surface. And disabling JavaScript within PDFs loaded in the browser could also reduce risks.

"The other application most frequently targeted for exploitation during an attack is Adobe Reader," Brandt says. "The most current updates to Reader make this a far less risky application, but you can also disable JavaScript within PDF files using an option in the Settings dialogue within the program. Doing so eliminates the vast majority of the risk associated with this program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.