What Everyone Should Know About Browser Vulnerability
In 2014, French security firm VUPEN netted a whopping $400, 000 in the HP Tipping Point’s Zero Day Initiative as annual hacking contest hosted by Pwn2Own. As the name would suggest, the aim for participants was to reveal zero day vulnerabilities to win outrageous cash rewards.
Here is a breakup of how this popular security firm earned money in the contest.
- Code execution through bypassing IE Sandbox for Adobe Flash = $75, 000
- PDF Sandbox escape and heap overflow for code execution against Adobe Reader= $75, 000
- “A use-after-free causing object confusion in the broker, resulting in Sandbox bypass” to cripple the Internet Explorer= $100, 000
- Code execution in Google Chrome through Webkit and Blink= $100, 000
- Code execution in Firefox using unknown vulnerability= $50,000
Irrespective of the standard you measure it in; this is huge money, even for a firm of VUPEN’s stature. This contest actually resonates with the security experts’ calls about browser vulnerabilities getting difficult to locate, eating up a large chunk of research resources.
The Basics
An analogical explanation of browsers would be something like a virtual gateway, which helps users make most out of their internet experience. They help them connect with everything else on the network. Now just like any other chunk of code, browsers are also vulnerable to maliciously written codes that find loopholes in the developer’s architecture. As matter of fact, cybercriminals are constantly looking for browser vulnerabilities. In 2013 alone, 727 vulnerabilities (as compared to 893 in 2012) were discovered in 5 of the most popular browsers including Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. Although browser developers introduce patches quite frequently, the situation is still troublesome for many organizations around the world.
- 266 vulnerabilities were found in IE as opposed to 292 in Chrome.
- Firefox had 224 flaws against 125 in Safari and 25 in Opera.
- Opera might seem secure, but with 1% market share it’s possibly not being targeted.
- Google Chrome releases security updates in an average of 15 days.
- This figure is 30 and 28 for IE and Firefox respectively.
- IE still holds 58.19% market share.
- In a five-year trend, the attacks have increased by roughly 47%.
- According to Kaspersky one out of every three PCs was targeted while surfing online in 2012.
The Risks
The sophisticated piece of code makes changes to homepage, favorite pages, and even search pages. Some of them even change the internet settings and block certain features or access privileges. Redirection is also common.
Now given the nature of these symptoms, most people do not really look into the underlying cause and that’s where they get dangerous. POODLE or the Padding Oracle on Downgraded Legacy Encryption has been the worst of all attacks in the past. This particular bug is also known as CVE-2014-3566 and it compromises protocol security level, which can be further used to penetrate SSL or Secured Socket Layer. It is something that most of us blindly trust as security assurance.
Bulletproof Browser
There are a dozen different options freely available to users, but which one of these is absolutely bulletproof against every kind of attack? Well, according to Skybox Security, there is no single answer to that question. Every browser has its own merits and demerits. Picking one is impossible. However, most security experts and users agree that IE has got the most critical security issues and is years behind others.
As for the other browsers, none of them can guarantee safety and that is where awareness comes into play. Following are few of the tips that help with browser safety.
- Firewall should be an integral part of the system. It protects against several external attacks. Organizations should invest in Web Application Firewall options.
- Keep the software updated with patches, especially the browsers.
- Install plug-ins from reputable sources only.
- Disable Active-X is not required.
- Configure browser security and privacy settings frequently.
- Try security plug-ins.
- Sign-up for news and alerts on the topic.
Organizations vs. Individuals View
For individual users, risks are usually limited to their own data and money, but on the other hand organizations face huge risks like defacement and data theft through browser vulnerability, which increases the need to counter measures.
Organizations or website owners should utilize strong security audit programs, both automated and manual for enhanced security. This will ensure their safety even against client browser vulnerability like the JPEG buffer overflow experienced in the past using Internet Explorer. This vulnerability was exploited crafting a JPEG image with invalid header to target payload against XSSissues