The current generation of web browsers have serious structural flaws that pose disturbing security risks.  Sensitive information can be disclosed, credentials/passwords stolen, fraudulent bank transfers conducted, and far more.   The enterprise and consumers can profoundly mitigate these risks without need of a security software product.  However, risks related to these do in fact require immediate action.

Security Within the Web Browser is Unacceptably Porous

If a web browser is connected to a malicious web server while connected to other web servers, that malicious web server can steal data from or inject data into those other exchanges either in the same or a different tab or window. Consider that a typical web page viewed in a web browser is often connected to a dozen or more web servers. Website owners cannot possibly guarantee that none of the other web servers are malicious. With the advent of tabbed browsing, a wonderful convenience I utilize everyday, an end-user accessing your enterprise resource planning (ERP) system or some other critical asset will likely be connected to other public web servers as well.

Until web browsers implement internal session authorization controls, I use two web browsers. I use one for general purpose browsing and the other for sensitive matters. I also try to refrain from accessing two or more ‘sensitive’ web servers simultaneously with that web browser.

In this post, I won’t get into web browser settings that reduce risk. However, I would say that one can configure the ‘sensitive’ browser to visit only known, trusted sites. This doesn’t prevent end-users from using the other web browser for ‘sensitive’ matters, however. One might configure critical corporate web servers to refuse all web browsers but one kind. Sophisticated end-users can readily spoof this. Fortunately, they are the ones that can better appreciate the rationale for such a restriction.

Enterprise SSL VPN administrators ought to question their vendor as to what mechanisms are available for locking their SSL VPN gateway to only one type of web browser, and perhaps even to employer-owned computers, if possible.

I hope the next generation of web browsers, such as Google Chrome and Microsoft Internet Explorer 8, which spawn separate processes per browser tab, make a big difference.  They must also deal with the colossal challenge due to interoperability vulnerabilities among the web browser, its library objects, and its plug-ins.   Meanwhile, two web browsers can be more secure than one.

Overall PC Security Risks from Web Browser Vulnerabilities (Zero-Day Exploit Attacks)

This approach mitigates risks from weak internal browser security. It does nothing to prevent malware from exploiting flaws in the web browser eco-system (browser, library objects, and plug-ins).  Cyber criminals conduct drive-by download attacks that ‘drop’ a temporary malicious application into user-space (any folder or hard drive where a user without local admin rights can write) to assess the PC, download the ideal permanent malicious software, and install it, without an end-user noticing anything.  Alternatively, if a drive-by download attack fails, they can coerce the web browser itself to implant the malicious software.  Either way, they can then steal, delete, or ransom anything of value on the targeted computer itself or interacting with it.

Anti-Virus/Spyware and Host Intrusion Prevention System (HIPS) Software Yield Weak Computer Protection

Whether dealing with internal web browser security or overall PC security due to web browsers, the vast majority of consumer and enterprise computers are NOT protected from today’s virus, worm, Trojan, and other zero-day attacks.  Its only a matter of time, and when it comes, only a small percentage of computer users will notice a change.

Most anti-virus/spyware computer security software relies on a signature-based technology developed over a decade ago.  Recent lab tests by Cyveillance observed a detection rate of 29% in June 2009, down from 45% in July 2008.  The reason for this is simple.  When estimating the time required to discover a new malware sample, vendors require about a month to distribute to their anti-virus/spyware agents a new signature that detects the NEW malware.  As of mid 2009, roughly half of Cyber criminals are using automated tools to alter their attack code every 48 hours to ensure no signature exists to detect their attack.  As more use these tools, the effectiveness of anti-virus/spyware will drop even further.

HIPS products have long promised to stop the NEW malware.  However, they are so complex that they are either completely disabled or severely underutilized.  Anti-virus/spyware vendors striving to improve protection with the addition of heuristics, generic signatures, and other higher level forms of detection borrowed from HIPS products are guessing whether an inbound file or communication is good or bad.  Consequently, usability concerns pertaining to false-positives and uncertainties (i.e., user-prompts) require these newer features to be throttled down.  The cyber criminals continue to elude them with ever greater ease.

Recommended Solution from Blue Ridge

Dealing with the internal web browser security issues is best dealt with using separate web browsers, and by the vendors themselves re-engineering the web browser from the inside out.  However, the web browsers themselves represent a clear and present danger to the computers and their users.

Blue Ridge offers three products and an enterprise managed security service that places web browsers and other at-risk applications ‘under guard’, preventing them from harming their host PC and user directly or indirectly (i.e., drive-by download attack).   AppGuard counters these as well as USB malware risks for consumers and small businesses.  AppGuard Enterprise does likewise for larger organizations with need of robust, centralized management of computer protection.  EdgeGuard and Managed EdgeGuard not only protect computers but also audit and control them.  In short, audit provides administrators operational awareness overall computers located anywhere so they can identify and quantify their risks.  The control enables them to implement security best practices including application control, security configuration management, 3rd party security software remediation, network access control (NAC) / network access protection (NAP), as well as customizable and remote posture assessment and configuration modifications.

Related Articles

Never Ending Vulnerabilities for Web Browsers

Businesses Not Protected from Malware-Caused Fraudulent Bank Transfers

Is a PC using a Limited User Account (LUA) Safe from Drive-by Download Attacks?

Enterprises at Risk from SSL VPN Security Vulnerabilities

Curbing 10 Costly Behavior Data Leak Problems

Employee Owned Computers are Data Leak Risks to Employers

Revised: 22 September 2009

Posted: Tuesday, September 22nd, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback