IE 8, Firefox and Safari all need to keep boosting security, even though hackers are concentrating on Web applications
Web browsers remain a target for security exploits by hackers. A report from Cenzic together with the recent Pwn2Own hacking contest at CanSecWest, highlights the need to keep boosting browser security.
From Microsoft’s Internet Explorer 8 to Apple Safari, popular Internet browsers took a public beating the week of 16 March. Even as hackers continue to focus most of their attention on Web applications, exploits targeting the browser always make juicy tidbits for black hats.
In Cenzic’s Web Application Security Trends Report, (PDF) released 18 March, the vulnerability assessment and risk management software company found that there was 7% increase in the number of browser vulnerabilities in the second half of 2008. Microsoft Internet Explorer accounted for 43% of that total, with Mozilla Firefox following closely with 39%. Apple Safari and Opera Software’s Opera browser accounted for 10% and 8%, respectively.
Then there was the Pwn2Own contest. Hosted by TippingPoint, the annual hacking event at CanSecWest this year saw security on IE, Safari and Firefox all go down for the count.
With all this as a backdrop, it should be noted that browser security in general is improving, some researchers said. The past few years have seen an increasing amount of security built into browsers, ranging from IE 8’s cross-site scripting filter to the sandboxing in Google Chrome, which Charlie Miller, one of the prize winners at the 2009 Pwn2Own event, said limits the amount of damage that can be done.
“Most vendors have become [resigned] to the fact that bugs will always exist,” said Miller, an analyst with Independent Security Evaluators. “That means what is left is making it impossible to exploit the vulnerabilities and do malicious acts. So sandboxing is another hurdle the bad guy will have to get through.”
Anti-phishing features in the major browsers have also helped make them more secure. But that can be augmented with whitelisting services, Gartner analyst John Pescatore said.
“[In addition,] businesses really, really, really need a way to tell if a human is operating the browser, or is this connection coming from a spider or botnet client or screen-scraper,” Pescatore said. “The browser guys could work with the Web app server—Microsoft and Apache … to come up with some way of the browser declaring ‘a local keyboard is operating me’ would be a huge help [in] fighting automated fraud.”
Still, efforts to authenticate active code such as IE’s Authenticode, wean users off using cookies to remember user names and passwords, or detect pass-through attacks such as buffer overflows have not met with broad success, said Eric Ogren, principal analyst with The Ogren Group. The fundamental problem is the standard usability versus security argument.
“Browsers have to serve so many needs that their attack surfaces are exceptionally difficult to secure,” Ogren said. “The biggest problem is that classic security techniques constrain the user experience to the point where the browser will not be used.”