Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Design Flaws Make All Browsers Vulnerable, Black Hat Speaker Says

In series of hacks, researcher demonstrates inherent flaws in currently-used browsers

LAS VEGAS, NEVADA -- Black Hat USA 2010 -- If you ask Jeremiah Grossman, no Internet browser application is truly safe.

Click here for more of Dark Reading's Black Hat articles.

Grossman, CTO of Whitehat Security, described a series of browser design flaws in a presentation here last week. Internet Explorer 6 and 7, Safari, Firefox, and Google Chrome all showed some exploitable weaknesses, he said.

"These are not just application vulnerabilities that can be patched on the next rev," Grossman said. "These are basic design flaws."

In several cases, Grossman demonstrated how attackers can use the "auto-fill" and "auto-complete" features in several browsers to trick the browser into giving up personal information and password data from the user.

In other cases, he showed how cross-site scripting flaws can be used to gain access to the password manager features in Chrome and Firefox. A final demo described a method for swiftly evicting cookies from Firefox, making it easier to attack.

After so much browser research, does Grossman recommend one over the others? "IE 8 is technically secure, but it's targeted because it's so widespread," he said. "Firefox is not bad, but I outlined some design flaws in my talk. Chrome is also pretty good, but it comes with what amounts to Google spyware, and there's no sandbox."

Depending on what they're doing, some users may benefit from using more than one browser, taking advantage of the relative security capabilities of each, Grossman said. "One of my key points was just to get people away from using IE 6 and 7," he said. "There are still a lot of users of those out there."

Some users may want to think twice before using password manager features, too, Grossman says. "It's a pain to write them all down, but if your password manager is compromised, that can be a big problem," he said.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-16
The File Session Manager in Beego 1.10.0 allows local users to read session files because there is a race condition involving file creation within a directory with weak permissions.
PUBLISHED: 2019-09-16
The File Session Manager in Beego 1.10.0 allows local users to read session files because of weak permissions for individual files.
PUBLISHED: 2019-09-16
Emerson GE Automation Proficy Machine Edition 8.0 allows an access violation and application crash via crafted traffic from a remote device, as demonstrated by an RX7i device.
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.