Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Browsers Are The Window To Enterprise Infection
Newest First  |  Oldest First  |  Threaded View
mpalmer60601
mpalmer60601,
 User Rank: Apprentice
2/10/2015 | 12:27:29 PM
Re: Ridicoulous
100% agree.
gd2009
gd2009,
 User Rank: Apprentice
2/10/2015 | 9:34:24 AM
Ridicoulous
This is a ridicoulous PAper  if you can call it that ! I mean really 4 paragrahs to tell me something  i already know? that most Malware comes thru a browser.

I was expecting to see industry options to deal with the problem noit how much google or muicrosoft spends to fix bugs!
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
2/9/2015 | 10:25:08 AM
Re: Glass is half full
You know, Google gets a lot of the praise and Microsoft gets a lot of the scorn from the tech press about these security issues, but Google seems to have a nasty habit of pulling arrogant garbage like insisting their Chromebooks are impervious to viruses (a ridiculous claim anyway) even when Kaspersky reports otherwise, and releasing MSFT zero-day vulnerabilities without giving MSFT a heads up or chance to fix them.  Compare MSFT, which has a six-year history of privately reporting bugs to software developers through its vulnerability research program, according other browser companies like Opera Software and even Google (turning the other cheek) the chance to fix their problems before the bad guys catch wind.
macker490
macker490,
 User Rank: Ninja
2/6/2015 | 9:55:21 AM
more accurately: Executable Documents
It's not just browsers: any program that can open an executable document is a potential problem.    this includes programs such as WORD and EXCEL that process scripts and macros -- in addition to activating servere problem software particularly Adobe/Flash.   e/mail is often used as a vector for transporting "trojans":  consider software which can AUTHENTICATE e/mail messages: i.e. verify the sender is who he says he is. and insure the message content has not been tampered with. Think: PGP/GnuPG.   They are not that hard -- if you try them out for yourself.

2015 will be "more of the same" as far as hacking goes -- unless we face the problem and change what's wrong.

start with a secure operating system: one which will not allow itself to be affected by an application program.  Something that does not require a dozen or so CVE patches every month.

next: work on isolation: think: "named spaces".   it is key to restrict an application program from using YOUR credentials -- plus instructions from an "executable document" -- to do what it wants with all the data you have access to -- on your desktop and on into your network connections

some earlier software, perforce, must be kept in service.   again: think : isolation.   work on multiple intranets such that vultnerable systems do not have open internet exposure -- or -- even exposure to your intranets which have open internet exposure.

remember: if you e/mail an executable document from one machine to another -- possibly from one intranet to another -- there is the potential to carry a trojan with that document

think: sanitation.   don't take any just any input data,-- clean it up.   ever since the IBM punch-card we had to clean up input data before we could process it.   sure,-- it's expensive.   but it's cheaper than getting hacked.
jaingverda
jaingverda,
 User Rank: Moderator
2/3/2015 | 4:29:34 PM
Shocking not
This really doesn't suprise me at all. When you have big business that refuses to update their custom software off of the older versions of internet explorer. I mean how many times do you go into a business and see the staff still running ie 8 or 9 or heaven forbid ie 7. This type of corprate culture is just a by product of the if it works don't change it til it becomes a net loss for us in terms of profit. Maybe if more companies would pay attention to security and how much damage they face if they do get hacked in terms of lost time, revenue and brand recognition it might force these businesses to upgrade once in a while. I don't know how many times I've heard over the years oh it still is working fine for what I need it to and my employees know better than do anything but work on these machines.
aws0513
aws0513,
 User Rank: Ninja
2/3/2015 | 8:58:18 AM
This is a trend that been demonstrated
The Pwn2Own contests have demonstrated the weaknesses in browsers repeatedly over the years.  So this information a further confirmation of the weakness trend.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
2/3/2015 | 8:40:23 AM
Glass is half full
It's reassuring to hear that the bug bounty programs are working (at least at Google), and that the major browsers companies are paying attention to the problem. 
Joe Stanganelli
Joe Stanganelli,
 User Rank: Ninja
2/3/2015 | 3:19:49 AM
Unsurprising but informative
Completely unsurprising when you think about it (what else would be the optimal end user software to infect and attack?), but it's nice to have the numbers -- the very, very high numbers -- behind it so we can better deal with the threats.
pcdoctorny
pcdoctorny,
 User Rank: Apprentice
2/2/2015 | 4:42:50 PM
Getting Infections from the Browser?
In terms of IT inertia I have seen in my experience that most of IT people setup networks to use Internet explorer by default, without installing security plugins on more developed browsers such as Firefox and Chrome.

In addition, the fact that a corporate company may have to use its own DNS is indicative of a stale situation that does not keep up with the fast spread of malware.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file