The potential number of yet to be discovered programming mistakes that can be exploited by attackers is at least one or two orders of magnitude greater than previously thought. There’s no end in sight to the relentless onslaught of critical vulnerabilities and security patches for web browser users. Worse yet, the vast majority of computers are ill-prepared for the malware attacks that exploit them.

The potential vulnerabilities reside not just in the individual web browsers, their plug-ins, and their supporting library software components but also in the interoperability or communications amongst them. Security penetration/stress testing and cyber crime exploits have historically focused on the individual components.

Browser Plug-Ins Expose Underlying Library Components to Attack

A web browser plug-in, which extends the capabilities of web browsers to offer an enhanced experience/service to users, accepts as input from web servers not just data but software objects too. Web browsers rely on the individual plug-in to determine if the input is valid or not. Consequently, the web browser does not prevent the passing of malicious content from the web server (or a local attacker pretending to be a web server) to the plug-in to a library component/object, supporting the web browser.

Exchanges between plug-ins and the Internet are only part of this problem. Web browsers and plug-ins utilize library components/objects, which are available to make life easier for programmers and to ultimately provide a richer experience for end-users. Internet Explorer leverages ActiveX, for example, which is based on the Active Template Library (ATL). Likewise, Mozilla Firefox, and others, leverages the Netscape Plug-in API (NPAPI) libraries. There are hundreds of these library components provided by the respective vendors as well as 3rd parties.

The concern here is that an attacker can take advantage of the weak controls of any web browser plug-in to target a vulnerability in ANY of the hundreds of library components, not just those on the ‘front lines’, not just those typically associated with a particular plug-in, not just the popular libraries, not just those made by the browser vendor. All libraries, including 3rd party ones, must be mistake free if web browsing is to be vulnerability free. To Microsoft’s credit, it has been aggressively patching its ActiveX components in the ATL (library) in response to this risk. However, the 3rd party library components have not been.

Further, successful exploits of library component vulnerabilities can provide direct operating system access, such as adding, deleting, or modifying files, as well as upload or download files. Today’s malware downloads code to modify mp3, PowerPoint, Excel, and other files on the infected computer to infect other computers that may eventually receive them. Similarly, malware often places attack code on all USB devices plugged into its host.

Browser Plug-ins Can be Attacked via Other Plug-ins

As with the libraries, web browsers provide little regulation as to what may pass from one plug-in to another. Thus, a vulnerability in say an Adobe Flash plug-in could be attacked via a seemingly innocuous 3rd party plug-in, fooling what few security controls exist today.

Web Browser Improvements are Underway, But Far from Complete

Ideally, web browser vendors would require all plug-ins to specify what type of objects and data they utilize so that the web browser could ensure that no other kind of data or object may be exchanged. Also, they ought to provide greater integrity checks on plug-ins as well as place more restrictions on plug-in-to-plug-in exchanges. And while we’re raising ideals, the numerous library components supporting web browsers MUST all be mistake free and employ data/object type restrictions. Some refinements have been made and more are coming. Their work will not finish soon.

Over 90% of Computers are NOT Protected from Attacks Exploiting Web Browser Interoperability Flaws

So, for years to come, any page rendered by a web browser may unleash a silent attack that exploits one of these types of vulnerabilities. Remember, tens of thousands of legitimate websites were compromised per month this past summer so as to unleash attacks on computer web browsers. The malware thrown at the victims is generally less than a day old, often less than 10 minutes old. Consequently, the anti-virus/spyware security software that users believe protects them from attacks is nearly useless, because, at best, new signatures take weeks to create after their release into the wild.

Computer Protection from Exploit Attacks on Web Browser, Plug-in, and Library Component Vulnerabilities

Blue Ridge offers three products and a managed security service that protect computers from these risks.

AppGuard
AppGuard Enterprise
EdgeGuard
Managed EdgeGuard

They employ what we call AppGuard Technology, which takes a far different approach to computer protection from the decades old technology failing to protect most computers today. Please read our white paper on how AppGuard Technology protects computers.

Related Articles

Forrester Predicts SMB Surge in HIPS Software Trials

Your Software Applications Cannot be Trusted

Signature Based AntiVirus Technologies vs Malware Detection with a Coin Toss

Attackers Exploiting Internet Explorer Video ActiveX Windows XP Users Everywhere

Cybercriminals Robbing Social Network Users

(Beladen) Legitimate Websites Unknowingly Attacking PCs

Posted: Friday, September 11th, 2009 - Endpoint Security
RSS 2.0 - Comment - Trackback