Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:50 AM
Connect Directly

Browser Exploits Increasingly Go For The Jugular

Black Hat USA panel to discuss browser attacks, which now go from browser userland to root privileges in no time flat.

Long the bane of the security industry, browser exploits just keep getting more dangerous as techniques grow more refined to get the most leverage from browser and browser extension flaws. According to speakers lined up for a lively panel session at Black Hat USA this week, achieving the highest levels of system privileges from a simple browser vulnerability has pretty much become de rigueur for attacks these days.

In a run-down of the exploits that took prizes in this year's Pwn2Own competition, members of the Zero Day Initiative (ZDI) program at Trend Micro are going to offer a number of observations about the techniques and methods behind this year's winning attacks. Among them is the key takeaway that attacks these days are going to increasingly go for the jugular -- namely achieving root privileges on the machine.

According to Matt Molinyawe, a vulnerability analyst and exploit developer for ZDI, this was the first time in Pwn2Own that every single winning submission in the competition was able to execute code to the highest privilege possible. That's across a pool of researchers who won a total of $460,000 for 21 discovered flaws.

"In previous contests, having a userland vulnerability, achieve code execution, and then escalating to the highest privileged user was a very, very rare thing," says Molinyawe, who will speak on the the Black Hat panel called $hell on Earth: From Browser to System Compromise.

While there were some browser exploits that escalated to from browser to root rather quickly, including one in OSX that manipulated a sudo command, Molinyawe and his colleagues say that improvements in browser security over the last few years is making researchers--and, consequently, attackers--work harder to develop browser exploits. Whereas many Pwn2Own submissions were often found over the course of a weekend, researchers now need to spend significantly more time perfecting their attacks.

"There’s multiple bugs now that have to be utilized in order to get these levels of execution. Back in the day, you could drop a font bug on somebody that’s through the browser and all of a sudden you're in the kernel. Nowadays, there’s multiple stages and multiple exploits occurring just to achieve the same level of execution," says Josh Smith, a senior vulnerability researcher for ZDI, also speaking on the Black Hat panel. "It shows that things are getting harder and that a lot of these defenses are having an impact."

However, the way attack techniques have shifted shows that while effective, certain defense mechanisms can't be counted on as final solutions to the browser problem. For example, now that many sandbox protections for browsers have improved, the competition no longer sees easy sandbox escapes and vulnerabilities playing a hand in browser attack scenarios--instead, researchers have shifted their sights to kernel vulnerabilities. 

"It seemed like the sandbox, which is a great innovation, hasn’t necessarily slowed that many people down--it is almost just a speed bump in reality. They've moved on to other attack surfaces—for instance, the portions of the kernel that they can reach from within the sandbox, But they have not had a problem making that pivot, if that pivot was necessary," Smith says.

The point is to always remember that "attackers will ultimately go for the weakest link," says Jasiel Spellman, vulnerability analyst and exploit developer for ZDI. They key for security ops is to remember that they need to take a well-rounded approach rather than looking for silver bullets.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-18
Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute malicious JavaScript and inject arbitrary source code into the target pages. The attack begins by storing a new stream message containing an XSS payload. The stored payload can then be triggered by clicking a malicious link on the...
PUBLISHED: 2019-07-18
Firefly III before is vulnerable to stored XSS due to lack of filtration of user-supplied data in a budget name. The JavaScript code is contained in a transaction, and is executed on the tags/show/$tag_number$ tag summary page.
PUBLISHED: 2019-07-18
Firefly III before is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file names. The JavaScript code is executed during attachments/edit/$file_id$ attachment editing.
PUBLISHED: 2019-07-18
Firefly III before is vulnerable to reflected XSS due to lack of filtration of user-supplied data in a search query.
PUBLISHED: 2019-07-18
Firefly III before is vulnerable to stored XSS due to lack of filtration of user-supplied data in image file content. The JavaScript code is executed during attachments/view/$file_id$ attachment viewing.