Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/28/2010
06:36 PM
50%
50%

In Wake Of Attacks, Enterprises Look To Plug Browser Security Hole

Even a fully patched browser can expose enterprises to threats, experts say

For five hours last week, Twitter users were inundated with an avalanche of odd tweets. The messages -- actually snippets of JavaScript -- would execute when a browser user moused over the text. While the lion's share of the tweets were simple pranks, the technique exploited a flaw in Twitter's website that could have allowed malcontents to possibly attack the end user's system.

The vulnerability, known as a cross-site scripting flaw, allowed online miscreants to execute JavaScript code. Even fully patched modern browsers would not have been protected against the attack, according to security experts. The danger comes from emerging features of the Web -- and the ability of users to post content to sites.

The incident underscores that browsing websites, even well-known, "legitimate" sites, has inherent risks, says Michael Sutton, vice president of security research for Web security firm Zscaler.

"If it is not your code, if you did not build it, it is not trusted," Sutton says. "I don't care if it is some partner website, or if it's a social network, or if its some website on the Internet that you know nothing about. They all have to be treated the same; they are all untrusted sites. That is why you need protections in place."

For consumers, experts recommend using two browsers: an up-to-date browser for everyday use and a locked-down browser -- preferably running in a virtual machine -- to go to specific sensitive sites, such as online banks. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, says Sutton.

Instead, companies should rely on training and education to make their employees more informed about the threats online, experts say. In terms of technology, there are three concrete steps that enterprise IT managers can take. The goal is to gain more control over how Web sites impact the browser, says Mike Dausin, manager of advanced security intelligence for HP TippingPoint.

"The more fine-grained control that you can have over these types of sites, the better off you will be," he says.

First, companies should be using the most up-to-date version of their favored browsers, Sutton says. In its latest survey of corporate Web traffic, nearly a quarter of companies were still using Internet Explorer 6, which is missing critical patches and new security features, such as protections against cross-site scripting.

"Enterprises are much more slow to adopt new browser technology than end users," Sutton says. "That's unfortunate, because a lot of these new browsers have really important security technology."

Patching the browser is also an important security measure. Data from vulnerability management firm Qualys has shown that its clients update their browsers about two weeks after a patch is released. Sooner is better, however.

A second measure that companies can take is to block advertisements, says Jeremiah Grossman, CTO of Web security firm White Hat Security. Attackers frequently attempt to get malicious advertisements, or malverts, onto legitimate sites.

When a browser displays the ads, it could execute code or at least create a fraudulent pop-up that attempts to fool the user into going to another, less legitimate, site, experts observe. Perhaps the most high-profile case occurred a year ago, when The New York Times allowed malicious Flash ads on its site.

"I don't think there's any upside for a corporation to allow ads -- they take up employee time, burn bandwidth, and represent risk," Grossman says.

Finally, companies can use Web security services to block bad sites or to detect bad content on the fly. Services such as OpenDNS can block users or groups of users from going to certain types of sites or being redirected to known bad sites.

However, the real problems are the well-known sites that have been compromised in some way, Zscaler's Sutton stresses. For those cases, content inspection is necessary. Intrusion prevention systems can protect against attacks in most forms of network traffic. Other services, such as Zscaler's service, focus on the most popular types of communications, such as Web and e-mail.

"It is not the evil sites, it is the good sites," he says. "It's when the good sites have become infected or are being leveraged, as in the Twitter case."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.