Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/28/2010
06:36 PM
50%
50%

In Wake Of Attacks, Enterprises Look To Plug Browser Security Hole

Even a fully patched browser can expose enterprises to threats, experts say

For five hours last week, Twitter users were inundated with an avalanche of odd tweets. The messages -- actually snippets of JavaScript -- would execute when a browser user moused over the text. While the lion's share of the tweets were simple pranks, the technique exploited a flaw in Twitter's website that could have allowed malcontents to possibly attack the end user's system.

The vulnerability, known as a cross-site scripting flaw, allowed online miscreants to execute JavaScript code. Even fully patched modern browsers would not have been protected against the attack, according to security experts. The danger comes from emerging features of the Web -- and the ability of users to post content to sites.

The incident underscores that browsing websites, even well-known, "legitimate" sites, has inherent risks, says Michael Sutton, vice president of security research for Web security firm Zscaler.

"If it is not your code, if you did not build it, it is not trusted," Sutton says. "I don't care if it is some partner website, or if it's a social network, or if its some website on the Internet that you know nothing about. They all have to be treated the same; they are all untrusted sites. That is why you need protections in place."

For consumers, experts recommend using two browsers: an up-to-date browser for everyday use and a locked-down browser -- preferably running in a virtual machine -- to go to specific sensitive sites, such as online banks. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, says Sutton.

Instead, companies should rely on training and education to make their employees more informed about the threats online, experts say. In terms of technology, there are three concrete steps that enterprise IT managers can take. The goal is to gain more control over how Web sites impact the browser, says Mike Dausin, manager of advanced security intelligence for HP TippingPoint.

"The more fine-grained control that you can have over these types of sites, the better off you will be," he says.

First, companies should be using the most up-to-date version of their favored browsers, Sutton says. In its latest survey of corporate Web traffic, nearly a quarter of companies were still using Internet Explorer 6, which is missing critical patches and new security features, such as protections against cross-site scripting.

"Enterprises are much more slow to adopt new browser technology than end users," Sutton says. "That's unfortunate, because a lot of these new browsers have really important security technology."

Patching the browser is also an important security measure. Data from vulnerability management firm Qualys has shown that its clients update their browsers about two weeks after a patch is released. Sooner is better, however.

A second measure that companies can take is to block advertisements, says Jeremiah Grossman, CTO of Web security firm White Hat Security. Attackers frequently attempt to get malicious advertisements, or malverts, onto legitimate sites.

When a browser displays the ads, it could execute code or at least create a fraudulent pop-up that attempts to fool the user into going to another, less legitimate, site, experts observe. Perhaps the most high-profile case occurred a year ago, when The New York Times allowed malicious Flash ads on its site.

"I don't think there's any upside for a corporation to allow ads -- they take up employee time, burn bandwidth, and represent risk," Grossman says.

Finally, companies can use Web security services to block bad sites or to detect bad content on the fly. Services such as OpenDNS can block users or groups of users from going to certain types of sites or being redirected to known bad sites.

However, the real problems are the well-known sites that have been compromised in some way, Zscaler's Sutton stresses. For those cases, content inspection is necessary. Intrusion prevention systems can protect against attacks in most forms of network traffic. Other services, such as Zscaler's service, focus on the most popular types of communications, such as Web and e-mail.

"It is not the evil sites, it is the good sites," he says. "It's when the good sites have become infected or are being leveraged, as in the Twitter case."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.