Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Vulnerability Management

2/2/2015
03:45 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Browsers Are The Window To Enterprise Infection

Ponemon report says infections dominated by browser-based exploits.

The enterprise malware problem is largely an enterprise browser insecurity problem, according to a report out today by the Ponemon Institute. The study showed that on average, a user's insecure web browser caused 55 percent of malware infections in the past year and that almost all respondents believe their existing security tools aren't capable of completely detecting web-borne malware.

“The findings of this research reveal that current solutions are not stopping the growth of web-borne malware,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Almost all IT practitioners in our study agree that their existing security tools are not capable of completely detecting web-borne malware and the insecure web browser is a primary attack vector."

According to a quarter of the enterprise surveyed in the report said 76 to 100 percent of malware infections were caused by insecure web browsers and 69 percent of IT and security professionals believe that browser-borne malware is a more significant threat than a year ago. This puts them in a difficult position, as many security solutions designed to address the problem are still letting malware through.

Approximately half of organizations say that web-borne malware was able to bypass their layered firewall defense and even 38 percent reported that sandboxing and content analysis engines still let web-borne malware through.

However, many organizations face an uphill struggle in isolating risks at the browser level. At the fundamental level, there's simply the issue of inertia. Approximately 65 percent of IT pros reported that overcoming psychological dependency upon traditional detection methods keeps them entrenched in the old mode of protection.

To some degree, many enterprises are still largely dependent on the progress that the major browser security vendors have been making within their products. According to Secunia, in 2014 there was a 19 percent decrease in the number of vulnerabilities discovered in Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Safari. For its part, Google announced last week that it has been able to more effectively harden Chrome through its bug bounty program.  In 2014 it paid $1.5 million to researchers and rewarded them for finding more than 500 bugs across all of its portfolio. According to Google, in its first update to Chrome this year, 26 of the 62 flaws it fixed in the browser were found through external researchers, whom Google paid over $88,000 for the help. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mpalmer60601
50%
50%
mpalmer60601,
User Rank: Apprentice
2/10/2015 | 12:27:29 PM
Re: Ridicoulous
100% agree.
gd2009
50%
50%
gd2009,
User Rank: Apprentice
2/10/2015 | 9:34:24 AM
Ridicoulous
This is a ridicoulous PAper  if you can call it that ! I mean really 4 paragrahs to tell me something  i already know? that most Malware comes thru a browser.

I was expecting to see industry options to deal with the problem noit how much google or muicrosoft spends to fix bugs!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/9/2015 | 10:25:08 AM
Re: Glass is half full
You know, Google gets a lot of the praise and Microsoft gets a lot of the scorn from the tech press about these security issues, but Google seems to have a nasty habit of pulling arrogant garbage like insisting their Chromebooks are impervious to viruses (a ridiculous claim anyway) even when Kaspersky reports otherwise, and releasing MSFT zero-day vulnerabilities without giving MSFT a heads up or chance to fix them.  Compare MSFT, which has a six-year history of privately reporting bugs to software developers through its vulnerability research program, according other browser companies like Opera Software and even Google (turning the other cheek) the chance to fix their problems before the bad guys catch wind.
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2015 | 9:55:21 AM
more accurately: Executable Documents
It's not just browsers: any program that can open an executable document is a potential problem.    this includes programs such as WORD and EXCEL that process scripts and macros -- in addition to activating servere problem software particularly Adobe/Flash.   e/mail is often used as a vector for transporting "trojans":  consider software which can AUTHENTICATE e/mail messages: i.e. verify the sender is who he says he is. and insure the message content has not been tampered with. Think: PGP/GnuPG.   They are not that hard -- if you try them out for yourself.

2015 will be "more of the same" as far as hacking goes -- unless we face the problem and change what's wrong.

start with a secure operating system: one which will not allow itself to be affected by an application program.  Something that does not require a dozen or so CVE patches every month.

next: work on isolation: think: "named spaces".   it is key to restrict an application program from using YOUR credentials -- plus instructions from an "executable document" -- to do what it wants with all the data you have access to -- on your desktop and on into your network connections

some earlier software, perforce, must be kept in service.   again: think : isolation.   work on multiple intranets such that vultnerable systems do not have open internet exposure -- or -- even exposure to your intranets which have open internet exposure.

remember: if you e/mail an executable document from one machine to another -- possibly from one intranet to another -- there is the potential to carry a trojan with that document

think: sanitation.   don't take any just any input data,-- clean it up.   ever since the IBM punch-card we had to clean up input data before we could process it.   sure,-- it's expensive.   but it's cheaper than getting hacked.
jaingverda
100%
0%
jaingverda,
User Rank: Moderator
2/3/2015 | 4:29:34 PM
Shocking not
This really doesn't suprise me at all. When you have big business that refuses to update their custom software off of the older versions of internet explorer. I mean how many times do you go into a business and see the staff still running ie 8 or 9 or heaven forbid ie 7. This type of corprate culture is just a by product of the if it works don't change it til it becomes a net loss for us in terms of profit. Maybe if more companies would pay attention to security and how much damage they face if they do get hacked in terms of lost time, revenue and brand recognition it might force these businesses to upgrade once in a while. I don't know how many times I've heard over the years oh it still is working fine for what I need it to and my employees know better than do anything but work on these machines.
aws0513
100%
0%
aws0513,
User Rank: Ninja
2/3/2015 | 8:58:18 AM
This is a trend that been demonstrated
The Pwn2Own contests have demonstrated the weaknesses in browsers repeatedly over the years.  So this information a further confirmation of the weakness trend.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 8:40:23 AM
Glass is half full
It's reassuring to hear that the bug bounty programs are working (at least at Google), and that the major browsers companies are paying attention to the problem. 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:19:49 AM
Unsurprising but informative
Completely unsurprising when you think about it (what else would be the optimal end user software to infect and attack?), but it's nice to have the numbers -- the very, very high numbers -- behind it so we can better deal with the threats.
pcdoctorny
100%
0%
pcdoctorny,
User Rank: Apprentice
2/2/2015 | 4:42:50 PM
Getting Infections from the Browser?
In terms of IT inertia I have seen in my experience that most of IT people setup networks to use Internet explorer by default, without installing security plugins on more developed browsers such as Firefox and Chrome.

In addition, the fact that a corporate company may have to use its own DNS is indicative of a stale situation that does not keep up with the fast spread of malware.
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17274
PUBLISHED: 2020-02-26
NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.
CVE-2019-17275
PUBLISHED: 2020-02-26
OnCommand Cloud Manager versions prior to 3.8.0 are susceptible to arbitrary code execution by remote attackers.
CVE-2020-3169
PUBLISHED: 2020-02-26
A vulnerability in the CLI of Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root on an affected device. The vulnerability is due to insufficient validation of arguments passed to a spe...
CVE-2020-3170
PUBLISHED: 2020-02-26
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause an NX-API system process to unexpectedly restart. The vulnerability is due to incorrect validation of the HTTP header of a request that is sent to the NX-API. An attacker could expl...
CVE-2020-3171
PUBLISHED: 2020-02-26
A vulnerability in the local management (local-mgmt) CLI of Cisco FXOS Software and Cisco UCS Manager Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system (OS) of an affected device. The vulnerability is due to insufficient input vali...