Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:50 AM
Connect Directly

Browser Exploits Increasingly Go For The Jugular

Black Hat USA panel to discuss browser attacks, which now go from browser userland to root privileges in no time flat.

Long the bane of the security industry, browser exploits just keep getting more dangerous as techniques grow more refined to get the most leverage from browser and browser extension flaws. According to speakers lined up for a lively panel session at Black Hat USA this week, achieving the highest levels of system privileges from a simple browser vulnerability has pretty much become de rigueur for attacks these days.

In a run-down of the exploits that took prizes in this year's Pwn2Own competition, members of the Zero Day Initiative (ZDI) program at Trend Micro are going to offer a number of observations about the techniques and methods behind this year's winning attacks. Among them is the key takeaway that attacks these days are going to increasingly go for the jugular -- namely achieving root privileges on the machine.

According to Matt Molinyawe, a vulnerability analyst and exploit developer for ZDI, this was the first time in Pwn2Own that every single winning submission in the competition was able to execute code to the highest privilege possible. That's across a pool of researchers who won a total of $460,000 for 21 discovered flaws.

"In previous contests, having a userland vulnerability, achieve code execution, and then escalating to the highest privileged user was a very, very rare thing," says Molinyawe, who will speak on the the Black Hat panel called $hell on Earth: From Browser to System Compromise.

While there were some browser exploits that escalated to from browser to root rather quickly, including one in OSX that manipulated a sudo command, Molinyawe and his colleagues say that improvements in browser security over the last few years is making researchers--and, consequently, attackers--work harder to develop browser exploits. Whereas many Pwn2Own submissions were often found over the course of a weekend, researchers now need to spend significantly more time perfecting their attacks.

"There’s multiple bugs now that have to be utilized in order to get these levels of execution. Back in the day, you could drop a font bug on somebody that’s through the browser and all of a sudden you're in the kernel. Nowadays, there’s multiple stages and multiple exploits occurring just to achieve the same level of execution," says Josh Smith, a senior vulnerability researcher for ZDI, also speaking on the Black Hat panel. "It shows that things are getting harder and that a lot of these defenses are having an impact."

However, the way attack techniques have shifted shows that while effective, certain defense mechanisms can't be counted on as final solutions to the browser problem. For example, now that many sandbox protections for browsers have improved, the competition no longer sees easy sandbox escapes and vulnerabilities playing a hand in browser attack scenarios--instead, researchers have shifted their sights to kernel vulnerabilities. 

"It seemed like the sandbox, which is a great innovation, hasn’t necessarily slowed that many people down--it is almost just a speed bump in reality. They've moved on to other attack surfaces—for instance, the portions of the kernel that they can reach from within the sandbox, But they have not had a problem making that pivot, if that pivot was necessary," Smith says.

The point is to always remember that "attackers will ultimately go for the weakest link," says Jasiel Spellman, vulnerability analyst and exploit developer for ZDI. They key for security ops is to remember that they need to take a well-rounded approach rather than looking for silver bullets.


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-27
Sympa before 6.2.56 allows privilege escalation.
PUBLISHED: 2020-05-27
Improper Access Control in the Kiosk Mode functionality of Bosch Recording Station allows a local unauthenticated attacker to escape from the Kiosk Mode and access the underlying operating system.
PUBLISHED: 2020-05-27
Fork before 5.8.3 allows XSS via navigation_title or title.
PUBLISHED: 2020-05-27
Centreon before 19.10.7 exposes Session IDs in server responses.
PUBLISHED: 2020-05-27
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the page parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.0...