Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Browsers Are The Window To Enterprise Infection
Newest First  |  Oldest First  |  Threaded View
mpalmer60601
50%
50%
mpalmer60601,
User Rank: Apprentice
2/10/2015 | 12:27:29 PM
Re: Ridicoulous
100% agree.
gd2009
50%
50%
gd2009,
User Rank: Apprentice
2/10/2015 | 9:34:24 AM
Ridicoulous
This is a ridicoulous PAper  if you can call it that ! I mean really 4 paragrahs to tell me something  i already know? that most Malware comes thru a browser.

I was expecting to see industry options to deal with the problem noit how much google or muicrosoft spends to fix bugs!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/9/2015 | 10:25:08 AM
Re: Glass is half full
You know, Google gets a lot of the praise and Microsoft gets a lot of the scorn from the tech press about these security issues, but Google seems to have a nasty habit of pulling arrogant garbage like insisting their Chromebooks are impervious to viruses (a ridiculous claim anyway) even when Kaspersky reports otherwise, and releasing MSFT zero-day vulnerabilities without giving MSFT a heads up or chance to fix them.  Compare MSFT, which has a six-year history of privately reporting bugs to software developers through its vulnerability research program, according other browser companies like Opera Software and even Google (turning the other cheek) the chance to fix their problems before the bad guys catch wind.
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2015 | 9:55:21 AM
more accurately: Executable Documents
It's not just browsers: any program that can open an executable document is a potential problem.    this includes programs such as WORD and EXCEL that process scripts and macros -- in addition to activating servere problem software particularly Adobe/Flash.   e/mail is often used as a vector for transporting "trojans":  consider software which can AUTHENTICATE e/mail messages: i.e. verify the sender is who he says he is. and insure the message content has not been tampered with. Think: PGP/GnuPG.   They are not that hard -- if you try them out for yourself.

2015 will be "more of the same" as far as hacking goes -- unless we face the problem and change what's wrong.

start with a secure operating system: one which will not allow itself to be affected by an application program.  Something that does not require a dozen or so CVE patches every month.

next: work on isolation: think: "named spaces".   it is key to restrict an application program from using YOUR credentials -- plus instructions from an "executable document" -- to do what it wants with all the data you have access to -- on your desktop and on into your network connections

some earlier software, perforce, must be kept in service.   again: think : isolation.   work on multiple intranets such that vultnerable systems do not have open internet exposure -- or -- even exposure to your intranets which have open internet exposure.

remember: if you e/mail an executable document from one machine to another -- possibly from one intranet to another -- there is the potential to carry a trojan with that document

think: sanitation.   don't take any just any input data,-- clean it up.   ever since the IBM punch-card we had to clean up input data before we could process it.   sure,-- it's expensive.   but it's cheaper than getting hacked.
jaingverda
100%
0%
jaingverda,
User Rank: Moderator
2/3/2015 | 4:29:34 PM
Shocking not
This really doesn't suprise me at all. When you have big business that refuses to update their custom software off of the older versions of internet explorer. I mean how many times do you go into a business and see the staff still running ie 8 or 9 or heaven forbid ie 7. This type of corprate culture is just a by product of the if it works don't change it til it becomes a net loss for us in terms of profit. Maybe if more companies would pay attention to security and how much damage they face if they do get hacked in terms of lost time, revenue and brand recognition it might force these businesses to upgrade once in a while. I don't know how many times I've heard over the years oh it still is working fine for what I need it to and my employees know better than do anything but work on these machines.
aws0513
100%
0%
aws0513,
User Rank: Ninja
2/3/2015 | 8:58:18 AM
This is a trend that been demonstrated
The Pwn2Own contests have demonstrated the weaknesses in browsers repeatedly over the years.  So this information a further confirmation of the weakness trend.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 8:40:23 AM
Glass is half full
It's reassuring to hear that the bug bounty programs are working (at least at Google), and that the major browsers companies are paying attention to the problem. 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:19:49 AM
Unsurprising but informative
Completely unsurprising when you think about it (what else would be the optimal end user software to infect and attack?), but it's nice to have the numbers -- the very, very high numbers -- behind it so we can better deal with the threats.
pcdoctorny
100%
0%
pcdoctorny,
User Rank: Apprentice
2/2/2015 | 4:42:50 PM
Getting Infections from the Browser?
In terms of IT inertia I have seen in my experience that most of IT people setup networks to use Internet explorer by default, without installing security plugins on more developed browsers such as Firefox and Chrome.

In addition, the fact that a corporate company may have to use its own DNS is indicative of a stale situation that does not keep up with the fast spread of malware.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-42791
PUBLISHED: 2022-01-28
An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP request to trigger push notifications for VeridiumAD enrolled users does not enforce proper access control. A user can trigger push notifications for any other user. The text contained in the push notification can also be modified. I...
CVE-2020-28884
PUBLISHED: 2022-01-28
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever.
CVE-2020-28885
PUBLISHED: 2022-01-28
Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject commands through the Gogo Shell module to execute any OS command on the Liferay Portal Sever.
CVE-2022-0394
PUBLISHED: 2022-01-28
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
CVE-2022-21720
PUBLISHED: 2022-01-28
GLPI is a free asset and IT management software package. Prior to version 9.5.7, an entity administrator is capable of retrieving normally inaccessible data via SQL injection. Version 9.5.7 contains a patch for this issue. As a workaround, disabling the `Entities` update right prevents exploitation ...