Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/28/2010
06:36 PM
50%
50%

In Wake Of Attacks, Enterprises Look To Plug Browser Security Hole

Even a fully patched browser can expose enterprises to threats, experts say

For five hours last week, Twitter users were inundated with an avalanche of odd tweets. The messages -- actually snippets of JavaScript -- would execute when a browser user moused over the text. While the lion's share of the tweets were simple pranks, the technique exploited a flaw in Twitter's website that could have allowed malcontents to possibly attack the end user's system.

The vulnerability, known as a cross-site scripting flaw, allowed online miscreants to execute JavaScript code. Even fully patched modern browsers would not have been protected against the attack, according to security experts. The danger comes from emerging features of the Web -- and the ability of users to post content to sites.

The incident underscores that browsing websites, even well-known, "legitimate" sites, has inherent risks, says Michael Sutton, vice president of security research for Web security firm Zscaler.

"If it is not your code, if you did not build it, it is not trusted," Sutton says. "I don't care if it is some partner website, or if it's a social network, or if its some website on the Internet that you know nothing about. They all have to be treated the same; they are all untrusted sites. That is why you need protections in place."

For consumers, experts recommend using two browsers: an up-to-date browser for everyday use and a locked-down browser -- preferably running in a virtual machine -- to go to specific sensitive sites, such as online banks. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, says Sutton.

Instead, companies should rely on training and education to make their employees more informed about the threats online, experts say. In terms of technology, there are three concrete steps that enterprise IT managers can take. The goal is to gain more control over how Web sites impact the browser, says Mike Dausin, manager of advanced security intelligence for HP TippingPoint.

"The more fine-grained control that you can have over these types of sites, the better off you will be," he says.

First, companies should be using the most up-to-date version of their favored browsers, Sutton says. In its latest survey of corporate Web traffic, nearly a quarter of companies were still using Internet Explorer 6, which is missing critical patches and new security features, such as protections against cross-site scripting.

"Enterprises are much more slow to adopt new browser technology than end users," Sutton says. "That's unfortunate, because a lot of these new browsers have really important security technology."

Patching the browser is also an important security measure. Data from vulnerability management firm Qualys has shown that its clients update their browsers about two weeks after a patch is released. Sooner is better, however.

A second measure that companies can take is to block advertisements, says Jeremiah Grossman, CTO of Web security firm White Hat Security. Attackers frequently attempt to get malicious advertisements, or malverts, onto legitimate sites.

When a browser displays the ads, it could execute code or at least create a fraudulent pop-up that attempts to fool the user into going to another, less legitimate, site, experts observe. Perhaps the most high-profile case occurred a year ago, when The New York Times allowed malicious Flash ads on its site.

"I don't think there's any upside for a corporation to allow ads -- they take up employee time, burn bandwidth, and represent risk," Grossman says.

Finally, companies can use Web security services to block bad sites or to detect bad content on the fly. Services such as OpenDNS can block users or groups of users from going to certain types of sites or being redirected to known bad sites.

However, the real problems are the well-known sites that have been compromised in some way, Zscaler's Sutton stresses. For those cases, content inspection is necessary. Intrusion prevention systems can protect against attacks in most forms of network traffic. Other services, such as Zscaler's service, focus on the most popular types of communications, such as Web and e-mail.

"It is not the evil sites, it is the good sites," he says. "It's when the good sites have become infected or are being leveraged, as in the Twitter case."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.