Welcome Guest. | Log In | Register | Membership Benefits
  • |   Email this page E-mail
  • |  Print Print
  • |   Bookmark and Share

Outdated Browsers Leave Many Enterprises Vulnerable To Attack

Despite efforts to get users to update browsers, the search for better security only begins with a patch

Sep 27, 2011 | 04:40 PM | 

By Robert Lemos, Contributing Editor
Dark Reading

Starting this month, a host of popular Web sites will warn users who are surfing the Web on outdated browsers. The effort, spearheaded by the Online Trust Alliance, aims to move the low-hanging fruit of easy-to-attack legacy browsers a little bit higher.

To protect against attacks, companies need to deploy a wide range of defensive strategies, and an efficient patching cycle is a good first step. Many companies fail to use up-to-date browsers for fear of breaking compatibility with a critical enterprise application. Currently, Internet Explorer 6 -- an easy target for attackers -- is still used by nearly 10 percent of Web visitors, a greater proportion of visitors than those who use the latest, most secure Microsoft browser, Internet Explorer 9, according to NetMarketShare.

"Clearly, businesses need to move off of IE 6 and IE7," says Craig Spiezle, president and executive director of the Online Trust Alliance. "And they need to move off as quickly as possible because the browser is the first line of defense."

The OTA initiative, dubbed "Why Your Browser Matters," aims to increase the visibility of out-of-date browsers in an attempt to get more people and organizations to upgrade to the latest, and ostensibly the most secure, versions.

Dealing with the patching issue will not be easy, says Rik Ferguson, director of security research for Trend Micro. Many companies do not have a good patching process in place and are concerned that updating will break tenuous IT connections.

While the OTA initiative is a good first step, experts managing vulnerable browsers only starts with a patch. Attackers are more often exploiting flawed plug-ins, not just the browser software. Adobe Reader and Flash, Oracle's Java, and other browser enhancements have become prime targets for malicious code, Ferguson says.

"Many attacks come through the browser -- but it is not just because the browser it is out of date. It is because the plug-ins are out of date," he says.

Businesses hoping to protect their users need to move beyond just patching the browsers and deploy defense in-depth, experts say. Unpatched plug-ins and attacks for which there is no patch are still common problems.

An attack on Pacific Northwest National Laboratories is a case in point. An attacker compromised PNNL's public-facing Web site, installing a zero-day exploit for Adobe Flash and compromising not only visitors, but also employees visiting the site. Having an up-to-date browser would not have helped, says Jerry Johnson, chief information officer for PNNL.

"By and large, we are running up-to-date browsers," Johnson says. "Our basic philosophy is that you are going to get hacked, so it is important that you can detect and contain."

The lesson that Johnson took from the attack is that the browser has to be separated from other parts of the operating system and sandboxed. Unfortunately, while browser makers are moving toward sandboxing the software, the plug-ins are not usually contained, he says.

Overall, browsers dramatically increase the attack surface area of a company's information systems, says Anup Ghosh, chief scientist with software security firm Invincea.

"It is not just the browser, but the browser and all the plug-ins and extensions that a company puts on the systems, along with all the operating systems libraries that the browser calls -- that becomes your total attack surface area," Ghosh says. "It is impossible to write a secure browser."

Isolating the browser from the rest of the operating system can mitigate risk, Ghosh states. VMWare's free Player is an example of a product that cordons off the Internet from the rest of the operating system by isolating the browser in a virtual machine. Invincea's own product, Browser Protection, uses a similar technique to start a browser from a clean state each time the user runs the software, preventing malicious code from breaking out. In addition, the software instruments the virtualized instance to detect possible attacks.

However a company decides to add defenses, moving beyond patching is important, says Ghosh.

"By the time you get the patch, the adversaries have typically had one month to exploit it," he says. "Patching is good hygiene, but it is not security."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dark Reading encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dark Reading moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Dark Reading further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS



Vulnerability Management Reports

report How (and Why) Attackers Choose Their Targets
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In this report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain.

report Security Pro's Guide to Patch Management
It's no longer sufficient to patch just Windows, Office and IE. With the massive array of applications now residing on enterprise PCs, and the proliferation of mobile and cloud-based applications, your business is far too vulnerable to exploitation unless you have a solid strategy for patch prioritization, deployment and quality assurance. Follow these steps to put your plan in place.

report In-House Malware Analysis: Why You Need It, How to Do It
Vulnerability management identifies and closes exploitable holes in your enterprise network. But some systems remain vulnerable, and traditional antivirus and perimeter defenses are proving less effective against sophisticated malware, targeted attacks and zero-day exploits. In this report, we show you how malware analysis, tied closely to incident response, is an essential complement to enterprise vulnerability management programs.

Other reports from the Vulnerability Management Tech Center:

Related Content

IT Pros Guide to Data Protection: Top 5 Tips For Securing Data In The Modern Organization
Ready your organization for more robust data protection measures by first implementing these five steps to improve data security in a business- and cost-effective manner.

E Is for Endpoint: Six Security Strategies for Highly Effective IT Professionals
Security professionals know that effective endpoint protection calls for a layered, defense-in-depth approach. But today's endpoints demand even more. Endpoint security now requires a new way of thinking that goes beyond just battling threats to actually enabling operational improvement. Learn the six steps you need to think different about endpoint security.

The Ponemon Institute 2012 State of the Endpoint
The 2012 State of the Endpoint study, sponsored by Lumension and conducted by Ponemon Institute, determines how effective organizations are in the protection of their endpoints and what they perceive are the biggest obstacles to reducing risk. The study is focused on four topics on the state of endpoint security: risk, productivity, resources and complexity.

The CISOs Guide to Measuring IT Security
Many organizations continue to blindly blaze into new technology territory without fully understanding the inherent IT risks. As a CISO, you must be able to facilitate business productivity without the risk. If you can accurately measure your security posture and communicate in terms of business risk as opposed to bits and bytes, you can effectively gain buy-in from key executives on important security initiatives. Learn the key steps to enhancing your security visibility so that you have a voice at the executive table.

Unruly USB Devices Expose Networks to Malware
It's pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it's time that organizations got serious about this threat. The key to USB security is balancing productivity with protection.