Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

9/27/2011
04:40 PM
50%
50%

Outdated Browsers Leave Many Enterprises Vulnerable To Attack

Despite efforts to get users to update browsers, the search for better security only begins with a patch

Starting this month, a host of popular Web sites will warn users who are surfing the Web on outdated browsers. The effort, spearheaded by the Online Trust Alliance, aims to move the low-hanging fruit of easy-to-attack legacy browsers a little bit higher.

To protect against attacks, companies need to deploy a wide range of defensive strategies, and an efficient patching cycle is a good first step. Many companies fail to use up-to-date browsers for fear of breaking compatibility with a critical enterprise application. Currently, Internet Explorer 6 -- an easy target for attackers -- is still used by nearly 10 percent of Web visitors, a greater proportion of visitors than those who use the latest, most secure Microsoft browser, Internet Explorer 9, according to NetMarketShare.

"Clearly, businesses need to move off of IE 6 and IE7," says Craig Spiezle, president and executive director of the Online Trust Alliance. "And they need to move off as quickly as possible because the browser is the first line of defense."

The OTA initiative, dubbed "Why Your Browser Matters," aims to increase the visibility of out-of-date browsers in an attempt to get more people and organizations to upgrade to the latest, and ostensibly the most secure, versions.

Dealing with the patching issue will not be easy, says Rik Ferguson, director of security research for Trend Micro. Many companies do not have a good patching process in place and are concerned that updating will break tenuous IT connections.

While the OTA initiative is a good first step, experts managing vulnerable browsers only starts with a patch. Attackers are more often exploiting flawed plug-ins, not just the browser software. Adobe Reader and Flash, Oracle's Java, and other browser enhancements have become prime targets for malicious code, Ferguson says.

"Many attacks come through the browser -- but it is not just because the browser it is out of date. It is because the plug-ins are out of date," he says.

Businesses hoping to protect their users need to move beyond just patching the browsers and deploy defense in-depth, experts say. Unpatched plug-ins and attacks for which there is no patch are still common problems.

An attack on Pacific Northwest National Laboratories is a case in point. An attacker compromised PNNL's public-facing Web site, installing a zero-day exploit for Adobe Flash and compromising not only visitors, but also employees visiting the site. Having an up-to-date browser would not have helped, says Jerry Johnson, chief information officer for PNNL.

"By and large, we are running up-to-date browsers," Johnson says. "Our basic philosophy is that you are going to get hacked, so it is important that you can detect and contain."

The lesson that Johnson took from the attack is that the browser has to be separated from other parts of the operating system and sandboxed. Unfortunately, while browser makers are moving toward sandboxing the software, the plug-ins are not usually contained, he says.

Overall, browsers dramatically increase the attack surface area of a company's information systems, says Anup Ghosh, chief scientist with software security firm Invincea.

"It is not just the browser, but the browser and all the plug-ins and extensions that a company puts on the systems, along with all the operating systems libraries that the browser calls -- that becomes your total attack surface area," Ghosh says. "It is impossible to write a secure browser."

Isolating the browser from the rest of the operating system can mitigate risk, Ghosh states. VMWare's free Player is an example of a product that cordons off the Internet from the rest of the operating system by isolating the browser in a virtual machine. Invincea's own product, Browser Protection, uses a similar technique to start a browser from a clean state each time the user runs the software, preventing malicious code from breaking out. In addition, the software instruments the virtualized instance to detect possible attacks.

However a company decides to add defenses, moving beyond patching is important, says Ghosh.

"By the time you get the patch, the adversaries have typically had one month to exploit it," he says. "Patching is good hygiene, but it is not security."

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21441
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
CVE-2020-9493
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...