Browser Plug-In Vulns The Endpoint's Weakest Link

Online infections, exploit kit damage wreaked due to poor browser plug-in hygiene

Despite all of the attention given to zero-day attacks and system vulnerabilities, the typical exploit assaulting enterprise endpoints actually looks for a much easier attack vector to launch attacks. In more cases than not, the application used to access the Web is also the one most online attackers will target. That's because most attackers and online exploit kit designers realize that the common browser is usually an endpoint's weakest link. Not only are enterprises generally slow to keep up with browser patching, they're downright sluggish at updating plug-ins and extensions.

"Enterprises tend to have reasonable control over patching at the OS and browser level, but ask the average CISO for a report on browser plug-ins installed in the organization, and they won't know where to begin," says Michael Sutton, vice president of security research for cloud security vendor Zscaler. "Attackers know this all too well."

According to Sutton, his team's research has found that plug-ins for Adobe Reader, Adobe Flash, and Oracle Java tend to be the top targets for browser exploit kits today, a claim that dozens of other security researchers will vouch for. According to the most recent Cisco 2013 Annual Security Report, Java exploits accounted for 87 percent of all Web exploits. And anecdotal evidence in the news daily bolsters the proof of plug-in dangers.

[Are you building enough layers in your endpoint security strategy? See Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.]

Take, for example, news of the latest exploit kit making the rounds: Styx. First blown open by Krebs on Security earlier in the week, Styx is being offered for license for $3,000. Current research shows that Styx depends on just four vulnerabilities to do its dirty work, and three of those are Java exploits.

Attackers don't really need to go through the expense of discovering zero-days when they can have a field day exploiting the old browser vulnerabilities sitting unpatched on most endpoints today. According to the most recent Symantec Internet Security Threat Report 2013, though the rate of discovery of Web vulnerabilities increased by only 6 percent last year, the rate of attacks from compromised websites went up by 30 percent.

According to Patrick Thomas, security consultant for Neohapsis, the two- to three-month patch cycle that most organizations have developed for endpoint environments is simply not fast enough to keep up with exploit kits developed to take advantage of browser and plug-in vulnerabilities. Enterprises have to adapt their practices to account for this Achilles' heel in the endpoint ecosystem.

"Don't fear the auto-update -- these aren't the dark ages anymore. Modern browsers have the ability to self-update; require it to be enabled," Thomas says. "Include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management. Finally, include browser extensions and plug-ins in patching strategy."

Organizations that truly want to reduce their risks should consider more drastic measures, including completely uninstalling the most widely attacked plug-ins.

"I'd suggest that, unless you have a pressing need for a business application that requires Java, uninstall it completely from any Windows computer you use," says Andrew Brandt, director of threat research at Solera Networks, a Blue Coat company. "Even though these attacks spawn a pop-up message from Java asking for permission to execute the malicious JAR, in many cases it's too hard to tell from which browser window the pop-ups originate."

Similarly, organizations could limit how scripts run within browsers. For example, using something like Firefox's No-Script plug-in could limit the browser's attack surface. And disabling JavaScript within PDFs loaded in the browser could also reduce risks.

"The other application most frequently targeted for exploitation during an attack is Adobe Reader," Brandt says. "The most current updates to Reader make this a far less risky application, but you can also disable JavaScript within PDF files using an option in the Settings dialogue within the program. Doing so eliminates the vast majority of the risk associated with this program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Ericka Chickowski, Contributing Writer

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights