Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/28/2010
06:36 PM
50%
50%

In Wake Of Attacks, Enterprises Look To Plug Browser Security Hole

Even a fully patched browser can expose enterprises to threats, experts say

For five hours last week, Twitter users were inundated with an avalanche of odd tweets. The messages -- actually snippets of JavaScript -- would execute when a browser user moused over the text. While the lion's share of the tweets were simple pranks, the technique exploited a flaw in Twitter's website that could have allowed malcontents to possibly attack the end user's system.

The vulnerability, known as a cross-site scripting flaw, allowed online miscreants to execute JavaScript code. Even fully patched modern browsers would not have been protected against the attack, according to security experts. The danger comes from emerging features of the Web -- and the ability of users to post content to sites.

The incident underscores that browsing websites, even well-known, "legitimate" sites, has inherent risks, says Michael Sutton, vice president of security research for Web security firm Zscaler.

"If it is not your code, if you did not build it, it is not trusted," Sutton says. "I don't care if it is some partner website, or if it's a social network, or if its some website on the Internet that you know nothing about. They all have to be treated the same; they are all untrusted sites. That is why you need protections in place."

For consumers, experts recommend using two browsers: an up-to-date browser for everyday use and a locked-down browser -- preferably running in a virtual machine -- to go to specific sensitive sites, such as online banks. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, says Sutton.

Instead, companies should rely on training and education to make their employees more informed about the threats online, experts say. In terms of technology, there are three concrete steps that enterprise IT managers can take. The goal is to gain more control over how Web sites impact the browser, says Mike Dausin, manager of advanced security intelligence for HP TippingPoint.

"The more fine-grained control that you can have over these types of sites, the better off you will be," he says.

First, companies should be using the most up-to-date version of their favored browsers, Sutton says. In its latest survey of corporate Web traffic, nearly a quarter of companies were still using Internet Explorer 6, which is missing critical patches and new security features, such as protections against cross-site scripting.

"Enterprises are much more slow to adopt new browser technology than end users," Sutton says. "That's unfortunate, because a lot of these new browsers have really important security technology."

Patching the browser is also an important security measure. Data from vulnerability management firm Qualys has shown that its clients update their browsers about two weeks after a patch is released. Sooner is better, however.

A second measure that companies can take is to block advertisements, says Jeremiah Grossman, CTO of Web security firm White Hat Security. Attackers frequently attempt to get malicious advertisements, or malverts, onto legitimate sites.

When a browser displays the ads, it could execute code or at least create a fraudulent pop-up that attempts to fool the user into going to another, less legitimate, site, experts observe. Perhaps the most high-profile case occurred a year ago, when The New York Times allowed malicious Flash ads on its site.

"I don't think there's any upside for a corporation to allow ads -- they take up employee time, burn bandwidth, and represent risk," Grossman says.

Finally, companies can use Web security services to block bad sites or to detect bad content on the fly. Services such as OpenDNS can block users or groups of users from going to certain types of sites or being redirected to known bad sites.

However, the real problems are the well-known sites that have been compromised in some way, Zscaler's Sutton stresses. For those cases, content inspection is necessary. Intrusion prevention systems can protect against attacks in most forms of network traffic. Other services, such as Zscaler's service, focus on the most popular types of communications, such as Web and e-mail.

"It is not the evil sites, it is the good sites," he says. "It's when the good sites have become infected or are being leveraged, as in the Twitter case."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...