Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Browsers Are The Window To Enterprise Infection
Newest First  |  Oldest First  |  Threaded View
mpalmer60601
50%
50%
mpalmer60601,
User Rank: Apprentice
2/10/2015 | 12:27:29 PM
Re: Ridicoulous
100% agree.
gd2009
50%
50%
gd2009,
User Rank: Apprentice
2/10/2015 | 9:34:24 AM
Ridicoulous
This is a ridicoulous PAper  if you can call it that ! I mean really 4 paragrahs to tell me something  i already know? that most Malware comes thru a browser.

I was expecting to see industry options to deal with the problem noit how much google or muicrosoft spends to fix bugs!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/9/2015 | 10:25:08 AM
Re: Glass is half full
You know, Google gets a lot of the praise and Microsoft gets a lot of the scorn from the tech press about these security issues, but Google seems to have a nasty habit of pulling arrogant garbage like insisting their Chromebooks are impervious to viruses (a ridiculous claim anyway) even when Kaspersky reports otherwise, and releasing MSFT zero-day vulnerabilities without giving MSFT a heads up or chance to fix them.  Compare MSFT, which has a six-year history of privately reporting bugs to software developers through its vulnerability research program, according other browser companies like Opera Software and even Google (turning the other cheek) the chance to fix their problems before the bad guys catch wind.
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2015 | 9:55:21 AM
more accurately: Executable Documents
It's not just browsers: any program that can open an executable document is a potential problem.    this includes programs such as WORD and EXCEL that process scripts and macros -- in addition to activating servere problem software particularly Adobe/Flash.   e/mail is often used as a vector for transporting "trojans":  consider software which can AUTHENTICATE e/mail messages: i.e. verify the sender is who he says he is. and insure the message content has not been tampered with. Think: PGP/GnuPG.   They are not that hard -- if you try them out for yourself.

2015 will be "more of the same" as far as hacking goes -- unless we face the problem and change what's wrong.

start with a secure operating system: one which will not allow itself to be affected by an application program.  Something that does not require a dozen or so CVE patches every month.

next: work on isolation: think: "named spaces".   it is key to restrict an application program from using YOUR credentials -- plus instructions from an "executable document" -- to do what it wants with all the data you have access to -- on your desktop and on into your network connections

some earlier software, perforce, must be kept in service.   again: think : isolation.   work on multiple intranets such that vultnerable systems do not have open internet exposure -- or -- even exposure to your intranets which have open internet exposure.

remember: if you e/mail an executable document from one machine to another -- possibly from one intranet to another -- there is the potential to carry a trojan with that document

think: sanitation.   don't take any just any input data,-- clean it up.   ever since the IBM punch-card we had to clean up input data before we could process it.   sure,-- it's expensive.   but it's cheaper than getting hacked.
jaingverda
100%
0%
jaingverda,
User Rank: Moderator
2/3/2015 | 4:29:34 PM
Shocking not
This really doesn't suprise me at all. When you have big business that refuses to update their custom software off of the older versions of internet explorer. I mean how many times do you go into a business and see the staff still running ie 8 or 9 or heaven forbid ie 7. This type of corprate culture is just a by product of the if it works don't change it til it becomes a net loss for us in terms of profit. Maybe if more companies would pay attention to security and how much damage they face if they do get hacked in terms of lost time, revenue and brand recognition it might force these businesses to upgrade once in a while. I don't know how many times I've heard over the years oh it still is working fine for what I need it to and my employees know better than do anything but work on these machines.
aws0513
100%
0%
aws0513,
User Rank: Ninja
2/3/2015 | 8:58:18 AM
This is a trend that been demonstrated
The Pwn2Own contests have demonstrated the weaknesses in browsers repeatedly over the years.  So this information a further confirmation of the weakness trend.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 8:40:23 AM
Glass is half full
It's reassuring to hear that the bug bounty programs are working (at least at Google), and that the major browsers companies are paying attention to the problem. 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:19:49 AM
Unsurprising but informative
Completely unsurprising when you think about it (what else would be the optimal end user software to infect and attack?), but it's nice to have the numbers -- the very, very high numbers -- behind it so we can better deal with the threats.
pcdoctorny
100%
0%
pcdoctorny,
User Rank: Apprentice
2/2/2015 | 4:42:50 PM
Getting Infections from the Browser?
In terms of IT inertia I have seen in my experience that most of IT people setup networks to use Internet explorer by default, without installing security plugins on more developed browsers such as Firefox and Chrome.

In addition, the fact that a corporate company may have to use its own DNS is indicative of a stale situation that does not keep up with the fast spread of malware.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...