Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Browsers Are The Window To Enterprise Infection
Newest First  |  Oldest First  |  Threaded View
mpalmer60601
50%
50%
mpalmer60601,
User Rank: Apprentice
2/10/2015 | 12:27:29 PM
Re: Ridicoulous
100% agree.
gd2009
50%
50%
gd2009,
User Rank: Apprentice
2/10/2015 | 9:34:24 AM
Ridicoulous
This is a ridicoulous PAper  if you can call it that ! I mean really 4 paragrahs to tell me something  i already know? that most Malware comes thru a browser.

I was expecting to see industry options to deal with the problem noit how much google or muicrosoft spends to fix bugs!
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/9/2015 | 10:25:08 AM
Re: Glass is half full
You know, Google gets a lot of the praise and Microsoft gets a lot of the scorn from the tech press about these security issues, but Google seems to have a nasty habit of pulling arrogant garbage like insisting their Chromebooks are impervious to viruses (a ridiculous claim anyway) even when Kaspersky reports otherwise, and releasing MSFT zero-day vulnerabilities without giving MSFT a heads up or chance to fix them.  Compare MSFT, which has a six-year history of privately reporting bugs to software developers through its vulnerability research program, according other browser companies like Opera Software and even Google (turning the other cheek) the chance to fix their problems before the bad guys catch wind.
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2015 | 9:55:21 AM
more accurately: Executable Documents
It's not just browsers: any program that can open an executable document is a potential problem.    this includes programs such as WORD and EXCEL that process scripts and macros -- in addition to activating servere problem software particularly Adobe/Flash.   e/mail is often used as a vector for transporting "trojans":  consider software which can AUTHENTICATE e/mail messages: i.e. verify the sender is who he says he is. and insure the message content has not been tampered with. Think: PGP/GnuPG.   They are not that hard -- if you try them out for yourself.

2015 will be "more of the same" as far as hacking goes -- unless we face the problem and change what's wrong.

start with a secure operating system: one which will not allow itself to be affected by an application program.  Something that does not require a dozen or so CVE patches every month.

next: work on isolation: think: "named spaces".   it is key to restrict an application program from using YOUR credentials -- plus instructions from an "executable document" -- to do what it wants with all the data you have access to -- on your desktop and on into your network connections

some earlier software, perforce, must be kept in service.   again: think : isolation.   work on multiple intranets such that vultnerable systems do not have open internet exposure -- or -- even exposure to your intranets which have open internet exposure.

remember: if you e/mail an executable document from one machine to another -- possibly from one intranet to another -- there is the potential to carry a trojan with that document

think: sanitation.   don't take any just any input data,-- clean it up.   ever since the IBM punch-card we had to clean up input data before we could process it.   sure,-- it's expensive.   but it's cheaper than getting hacked.
jaingverda
100%
0%
jaingverda,
User Rank: Moderator
2/3/2015 | 4:29:34 PM
Shocking not
This really doesn't suprise me at all. When you have big business that refuses to update their custom software off of the older versions of internet explorer. I mean how many times do you go into a business and see the staff still running ie 8 or 9 or heaven forbid ie 7. This type of corprate culture is just a by product of the if it works don't change it til it becomes a net loss for us in terms of profit. Maybe if more companies would pay attention to security and how much damage they face if they do get hacked in terms of lost time, revenue and brand recognition it might force these businesses to upgrade once in a while. I don't know how many times I've heard over the years oh it still is working fine for what I need it to and my employees know better than do anything but work on these machines.
aws0513
100%
0%
aws0513,
User Rank: Ninja
2/3/2015 | 8:58:18 AM
This is a trend that been demonstrated
The Pwn2Own contests have demonstrated the weaknesses in browsers repeatedly over the years.  So this information a further confirmation of the weakness trend.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/3/2015 | 8:40:23 AM
Glass is half full
It's reassuring to hear that the bug bounty programs are working (at least at Google), and that the major browsers companies are paying attention to the problem. 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/3/2015 | 3:19:49 AM
Unsurprising but informative
Completely unsurprising when you think about it (what else would be the optimal end user software to infect and attack?), but it's nice to have the numbers -- the very, very high numbers -- behind it so we can better deal with the threats.
pcdoctorny
100%
0%
pcdoctorny,
User Rank: Apprentice
2/2/2015 | 4:42:50 PM
Getting Infections from the Browser?
In terms of IT inertia I have seen in my experience that most of IT people setup networks to use Internet explorer by default, without installing security plugins on more developed browsers such as Firefox and Chrome.

In addition, the fact that a corporate company may have to use its own DNS is indicative of a stale situation that does not keep up with the fast spread of malware.


How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3331
PUBLISHED: 2021-01-27
WinSCP before 5.17.10 allows remote attackers to execute arbitrary programs when the URL handler encounters a crafted URL that loads session settings. (For example, this is exploitable in a default installation in which WinSCP is the handler for sftp:// URLs.)
CVE-2021-3326
PUBLISHED: 2021-01-27
The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2021-22641
PUBLISHED: 2021-01-27
A heap-based buffer overflow issue has been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22653
PUBLISHED: 2021-01-27
Multiple out-of-bounds write issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).
CVE-2021-22655
PUBLISHED: 2021-01-27
Multiple out-of-bounds read issues have been identified in the way the application processes project files, allowing an attacker to craft a special project file that may allow arbitrary code execution on the Tellus Lite V-Simulator and V-Server Lite (versions prior to 4.0.10.0).