Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:50 AM
Connect Directly

Browser Exploits Increasingly Go For The Jugular

Black Hat USA panel to discuss browser attacks, which now go from browser userland to root privileges in no time flat.

Long the bane of the security industry, browser exploits just keep getting more dangerous as techniques grow more refined to get the most leverage from browser and browser extension flaws. According to speakers lined up for a lively panel session at Black Hat USA this week, achieving the highest levels of system privileges from a simple browser vulnerability has pretty much become de rigueur for attacks these days.

In a run-down of the exploits that took prizes in this year's Pwn2Own competition, members of the Zero Day Initiative (ZDI) program at Trend Micro are going to offer a number of observations about the techniques and methods behind this year's winning attacks. Among them is the key takeaway that attacks these days are going to increasingly go for the jugular -- namely achieving root privileges on the machine.

According to Matt Molinyawe, a vulnerability analyst and exploit developer for ZDI, this was the first time in Pwn2Own that every single winning submission in the competition was able to execute code to the highest privilege possible. That's across a pool of researchers who won a total of $460,000 for 21 discovered flaws.

"In previous contests, having a userland vulnerability, achieve code execution, and then escalating to the highest privileged user was a very, very rare thing," says Molinyawe, who will speak on the the Black Hat panel called $hell on Earth: From Browser to System Compromise.

While there were some browser exploits that escalated to from browser to root rather quickly, including one in OSX that manipulated a sudo command, Molinyawe and his colleagues say that improvements in browser security over the last few years is making researchers--and, consequently, attackers--work harder to develop browser exploits. Whereas many Pwn2Own submissions were often found over the course of a weekend, researchers now need to spend significantly more time perfecting their attacks.

"There’s multiple bugs now that have to be utilized in order to get these levels of execution. Back in the day, you could drop a font bug on somebody that’s through the browser and all of a sudden you're in the kernel. Nowadays, there’s multiple stages and multiple exploits occurring just to achieve the same level of execution," says Josh Smith, a senior vulnerability researcher for ZDI, also speaking on the Black Hat panel. "It shows that things are getting harder and that a lot of these defenses are having an impact."

However, the way attack techniques have shifted shows that while effective, certain defense mechanisms can't be counted on as final solutions to the browser problem. For example, now that many sandbox protections for browsers have improved, the competition no longer sees easy sandbox escapes and vulnerabilities playing a hand in browser attack scenarios--instead, researchers have shifted their sights to kernel vulnerabilities. 

"It seemed like the sandbox, which is a great innovation, hasn’t necessarily slowed that many people down--it is almost just a speed bump in reality. They've moved on to other attack surfaces—for instance, the portions of the kernel that they can reach from within the sandbox, But they have not had a problem making that pivot, if that pivot was necessary," Smith says.

The point is to always remember that "attackers will ultimately go for the weakest link," says Jasiel Spellman, vulnerability analyst and exploit developer for ZDI. They key for security ops is to remember that they need to take a well-rounded approach rather than looking for silver bullets.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...