Vulnerabilities / Threats
9/27/2011
04:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Outdated Browsers Leave Many Enterprises Vulnerable To Attack

Despite efforts to get users to update browsers, the search for better security only begins with a patch

Starting this month, a host of popular Web sites will warn users who are surfing the Web on outdated browsers. The effort, spearheaded by the Online Trust Alliance, aims to move the low-hanging fruit of easy-to-attack legacy browsers a little bit higher.

To protect against attacks, companies need to deploy a wide range of defensive strategies, and an efficient patching cycle is a good first step. Many companies fail to use up-to-date browsers for fear of breaking compatibility with a critical enterprise application. Currently, Internet Explorer 6 -- an easy target for attackers -- is still used by nearly 10 percent of Web visitors, a greater proportion of visitors than those who use the latest, most secure Microsoft browser, Internet Explorer 9, according to NetMarketShare.

"Clearly, businesses need to move off of IE 6 and IE7," says Craig Spiezle, president and executive director of the Online Trust Alliance. "And they need to move off as quickly as possible because the browser is the first line of defense."

The OTA initiative, dubbed "Why Your Browser Matters," aims to increase the visibility of out-of-date browsers in an attempt to get more people and organizations to upgrade to the latest, and ostensibly the most secure, versions.

Dealing with the patching issue will not be easy, says Rik Ferguson, director of security research for Trend Micro. Many companies do not have a good patching process in place and are concerned that updating will break tenuous IT connections.

While the OTA initiative is a good first step, experts managing vulnerable browsers only starts with a patch. Attackers are more often exploiting flawed plug-ins, not just the browser software. Adobe Reader and Flash, Oracle's Java, and other browser enhancements have become prime targets for malicious code, Ferguson says.

"Many attacks come through the browser -- but it is not just because the browser it is out of date. It is because the plug-ins are out of date," he says.

Businesses hoping to protect their users need to move beyond just patching the browsers and deploy defense in-depth, experts say. Unpatched plug-ins and attacks for which there is no patch are still common problems.

An attack on Pacific Northwest National Laboratories is a case in point. An attacker compromised PNNL's public-facing Web site, installing a zero-day exploit for Adobe Flash and compromising not only visitors, but also employees visiting the site. Having an up-to-date browser would not have helped, says Jerry Johnson, chief information officer for PNNL.

"By and large, we are running up-to-date browsers," Johnson says. "Our basic philosophy is that you are going to get hacked, so it is important that you can detect and contain."

The lesson that Johnson took from the attack is that the browser has to be separated from other parts of the operating system and sandboxed. Unfortunately, while browser makers are moving toward sandboxing the software, the plug-ins are not usually contained, he says.

Overall, browsers dramatically increase the attack surface area of a company's information systems, says Anup Ghosh, chief scientist with software security firm Invincea.

"It is not just the browser, but the browser and all the plug-ins and extensions that a company puts on the systems, along with all the operating systems libraries that the browser calls -- that becomes your total attack surface area," Ghosh says. "It is impossible to write a secure browser."

Isolating the browser from the rest of the operating system can mitigate risk, Ghosh states. VMWare's free Player is an example of a product that cordons off the Internet from the rest of the operating system by isolating the browser in a virtual machine. Invincea's own product, Browser Protection, uses a similar technique to start a browser from a clean state each time the user runs the software, preventing malicious code from breaking out. In addition, the software instruments the virtualized instance to detect possible attacks.

However a company decides to add defenses, moving beyond patching is important, says Ghosh.

"By the time you get the patch, the adversaries have typically had one month to exploit it," he says. "Patching is good hygiene, but it is not security."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.