Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/12/2013
02:06 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Browser Plug-In Vulns The Endpoint's Weakest Link

Online infections, exploit kit damage wreaked due to poor browser plug-in hygiene

Despite all of the attention given to zero-day attacks and system vulnerabilities, the typical exploit assaulting enterprise endpoints actually looks for a much easier attack vector to launch attacks. In more cases than not, the application used to access the Web is also the one most online attackers will target. That's because most attackers and online exploit kit designers realize that the common browser is usually an endpoint's weakest link. Not only are enterprises generally slow to keep up with browser patching, they're downright sluggish at updating plug-ins and extensions.

"Enterprises tend to have reasonable control over patching at the OS and browser level, but ask the average CISO for a report on browser plug-ins installed in the organization, and they won't know where to begin," says Michael Sutton, vice president of security research for cloud security vendor Zscaler. "Attackers know this all too well."

According to Sutton, his team's research has found that plug-ins for Adobe Reader, Adobe Flash, and Oracle Java tend to be the top targets for browser exploit kits today, a claim that dozens of other security researchers will vouch for. According to the most recent Cisco 2013 Annual Security Report, Java exploits accounted for 87 percent of all Web exploits. And anecdotal evidence in the news daily bolsters the proof of plug-in dangers.

[Are you building enough layers in your endpoint security strategy? See Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.]

Take, for example, news of the latest exploit kit making the rounds: Styx. First blown open by Krebs on Security earlier in the week, Styx is being offered for license for $3,000. Current research shows that Styx depends on just four vulnerabilities to do its dirty work, and three of those are Java exploits.

Attackers don't really need to go through the expense of discovering zero-days when they can have a field day exploiting the old browser vulnerabilities sitting unpatched on most endpoints today. According to the most recent Symantec Internet Security Threat Report 2013, though the rate of discovery of Web vulnerabilities increased by only 6 percent last year, the rate of attacks from compromised websites went up by 30 percent.

According to Patrick Thomas, security consultant for Neohapsis, the two- to three-month patch cycle that most organizations have developed for endpoint environments is simply not fast enough to keep up with exploit kits developed to take advantage of browser and plug-in vulnerabilities. Enterprises have to adapt their practices to account for this Achilles' heel in the endpoint ecosystem.

"Don't fear the auto-update -- these aren't the dark ages anymore. Modern browsers have the ability to self-update; require it to be enabled," Thomas says. "Include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management. Finally, include browser extensions and plug-ins in patching strategy."

Organizations that truly want to reduce their risks should consider more drastic measures, including completely uninstalling the most widely attacked plug-ins.

"I'd suggest that, unless you have a pressing need for a business application that requires Java, uninstall it completely from any Windows computer you use," says Andrew Brandt, director of threat research at Solera Networks, a Blue Coat company. "Even though these attacks spawn a pop-up message from Java asking for permission to execute the malicious JAR, in many cases it's too hard to tell from which browser window the pop-ups originate."

Similarly, organizations could limit how scripts run within browsers. For example, using something like Firefox's No-Script plug-in could limit the browser's attack surface. And disabling JavaScript within PDFs loaded in the browser could also reduce risks.

"The other application most frequently targeted for exploitation during an attack is Adobe Reader," Brandt says. "The most current updates to Reader make this a far less risky application, but you can also disable JavaScript within PDF files using an option in the Settings dialogue within the program. Doing so eliminates the vast majority of the risk associated with this program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .