Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:06 PM
Connect Directly

Browser Plug-In Vulns The Endpoint's Weakest Link

Online infections, exploit kit damage wreaked due to poor browser plug-in hygiene

Despite all of the attention given to zero-day attacks and system vulnerabilities, the typical exploit assaulting enterprise endpoints actually looks for a much easier attack vector to launch attacks. In more cases than not, the application used to access the Web is also the one most online attackers will target. That's because most attackers and online exploit kit designers realize that the common browser is usually an endpoint's weakest link. Not only are enterprises generally slow to keep up with browser patching, they're downright sluggish at updating plug-ins and extensions.

"Enterprises tend to have reasonable control over patching at the OS and browser level, but ask the average CISO for a report on browser plug-ins installed in the organization, and they won't know where to begin," says Michael Sutton, vice president of security research for cloud security vendor Zscaler. "Attackers know this all too well."

According to Sutton, his team's research has found that plug-ins for Adobe Reader, Adobe Flash, and Oracle Java tend to be the top targets for browser exploit kits today, a claim that dozens of other security researchers will vouch for. According to the most recent Cisco 2013 Annual Security Report, Java exploits accounted for 87 percent of all Web exploits. And anecdotal evidence in the news daily bolsters the proof of plug-in dangers.

[Are you building enough layers in your endpoint security strategy? See Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.]

Take, for example, news of the latest exploit kit making the rounds: Styx. First blown open by Krebs on Security earlier in the week, Styx is being offered for license for $3,000. Current research shows that Styx depends on just four vulnerabilities to do its dirty work, and three of those are Java exploits.

Attackers don't really need to go through the expense of discovering zero-days when they can have a field day exploiting the old browser vulnerabilities sitting unpatched on most endpoints today. According to the most recent Symantec Internet Security Threat Report 2013, though the rate of discovery of Web vulnerabilities increased by only 6 percent last year, the rate of attacks from compromised websites went up by 30 percent.

According to Patrick Thomas, security consultant for Neohapsis, the two- to three-month patch cycle that most organizations have developed for endpoint environments is simply not fast enough to keep up with exploit kits developed to take advantage of browser and plug-in vulnerabilities. Enterprises have to adapt their practices to account for this Achilles' heel in the endpoint ecosystem.

"Don't fear the auto-update -- these aren't the dark ages anymore. Modern browsers have the ability to self-update; require it to be enabled," Thomas says. "Include browsers in patch reports and make sure that alternate browsers are considered in your enterprise patch management. Finally, include browser extensions and plug-ins in patching strategy."

Organizations that truly want to reduce their risks should consider more drastic measures, including completely uninstalling the most widely attacked plug-ins.

"I'd suggest that, unless you have a pressing need for a business application that requires Java, uninstall it completely from any Windows computer you use," says Andrew Brandt, director of threat research at Solera Networks, a Blue Coat company. "Even though these attacks spawn a pop-up message from Java asking for permission to execute the malicious JAR, in many cases it's too hard to tell from which browser window the pop-ups originate."

Similarly, organizations could limit how scripts run within browsers. For example, using something like Firefox's No-Script plug-in could limit the browser's attack surface. And disabling JavaScript within PDFs loaded in the browser could also reduce risks.

"The other application most frequently targeted for exploitation during an attack is Adobe Reader," Brandt says. "The most current updates to Reader make this a far less risky application, but you can also disable JavaScript within PDF files using an option in the Settings dialogue within the program. Doing so eliminates the vast majority of the risk associated with this program."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...