Browsers make Bill Gates angry. “Any browser without an operating system is going to be f***ing out of business”, he was quoted as saying in a Time article. He was right. The browser is probably the most important category of desktop software to most users, but it’s also proving to be just as important to online attackers. So, what are browser vendors doing about that?
Back in the old days, when viruses first began appearing, compromising a computer was generally done in a standard way: the malware would replicate itself to the boot record of a disc, which would then infect any other machine it touched. Then, infection techniques spread to Microsoft Word macros, then email distribution.
"Some other vendors, unfortunately, will only disclose the issues reported by external independent parties, omitting those found by internal developers, QA or security contractors" |
Jonathan Nightingale, Mozilla |
These days, though, by far the most popular technique for distributing malware is via malicious or hacked websites. These sites use JavaScript to manipulate web browsers, which can in turn be used to compromise a machine. The browsers represent a window into your machine through which the blackhat can climb.
Kings of the Mountain
Internet Explorer still tops the browser charts, according to Global Statcounter, which measures browser market share online, but it has fallen over the past year. In January 2009, it was at 65.4%. A year later, only 55.3% of people are using Internet Explorer.
Mozilla’s open source Firefox browser has by far the greatest number of security flaws, according to managed security company Secunia. Its 2008 report, released last May, said that Firefox suffered 115 security flaws during that year – 44% of those were experienced by the four big browsers: Internet Explorer, Safari, Firefox, and Opera.
Jonathan Nightingale, manager of the Firefox front-end features team at Mozilla, argues that this is an unfair comparison. “Mozilla discloses and releases bulletins for every security issue fixed in Firefox, regardless of how they were discovered. Some other vendors, unfortunately, will only disclose the issues reported by external independent parties, omitting those found by internal developers, QA or security contractors”, he explains. “This sort of reporting only encourages companies to hide as many security issues and fixes as possible, which moves the state of security backwards.”
"It’s a balancing act between educating the user, and better software" |
Martin Lindner, Carnegie-Mellon |
One browser not included in the Secunia report that will hopefully make it into the next one this spring is Google’s Chrome. Launched in September 2008, the browser took a markedly different architectural approach than its competition. Google gave each browser process its own thread, and created a sandbox for each process, so that it couldn’t touch native resources such as folders on your hard drive, or executable programs.
“This is an approach that Mozilla is investigating”, Nightingale says. “[We] will release a version of Firefox early this year in which some browser plug-ins will run in their own processes.”
The Soft Underbelly of Plug-ins
Plug-ins are really where the action is when it comes to browser security. “Exploiting the browser is not the most feasible way to compromise the system”, says Thomas Kristensen, CSO of Secunia. “It is much more feasible to write an exploit for Flash, Adobe Reader, an Active X control, or any other application that people are running”.
“True plug-ins are any software deployed by the server to the client that extend the functionality of the browser”, explains Martin Lindner, principal engineer at Carnegie-Mellon’s CERT computer security operation. “It runs in the context that the browser is running in on the PC.”
"We did experiment with sandboxing plug-ins and we have a flag you can set that sandboxes them, but it caused a lot of compatibility problems" |
Brian Rakowski, Google |
The reason that these plug-ins are such a critical attack vector is because they often have unfettered access to system resources. In many cases, they will run at a higher privilege level than the browser itself. Java, Flash, QuickTime, and Firefox extensions are all types of plug-ins that experience security vulnerabilities, but by far the most exploited is Microsoft’s ActiveX. Secunia found 366 ActiveX vulnerabilities in 2008 – 78% of all plug-in vulnerabilities.
Even Google hasn’t solved this particular problem with Chrome, admits Brian Rakowski, Google’s director of product management for Chrome. Plug-ins cannot be sandboxed in the same way as the rendering engine and other browser processes can. “We did experiment with sandboxing them, and we have a flag you can set that sandboxes them, but it caused a lot of compatibility problems”, he says. “We are still exploring ways to do that, and trying to work with plug-in manufacturers.”
Popular plug-ins can be a useful attack vector for online criminals who want to infect as many machines as possible. This is probably why Adobe has seen so many zero-day attacks on vulnerabilities in its Adobe Flash Player and Adobe Reader plug-ins. However, Lindner indicates that malicious sites can also install their own plug-ins, tailored to infect a system. It is possible to force a browser to install a plug-in using JavaScript.
"It is much more feasible to write an exploit for Flash, Adobe Reader, an Active X control, or any other application that people are running" |
Thomas Kristensen, Secunia |
Generally, browsers will ask if a user wants to continue with a plug-in installation, but as Lindner points out, many malicious sites use social engineering to trick the user into installing malware. One popular ruse is to offer a video clip, but force the user to download a codec (which is, of course, a trojan) in order to view it.
“It’s a balancing act between educating the user, and better software”, says Lindner.
Safety First
So, how can we educate users to make them more aware of what they are doing online? This is where the safety features in browsers make an appearance. Many browsers now have built-in technology that links back to online services providing a constantly updated blacklist of URLs, for example.
Jeff Williams, principal group program manager at Microsoft’s Malware Protection Center, is quick to outline some of the features in version 8 of Internet Explorer that can help to protect users.
“Advances include a Protected Mode, which helps prevent hackers from taking over a user’s browser and executing code; a new Fix My Settings feature; the Microsoft Phishing Filter, which helps users browse more safely by advising them about suspicious or known phishing websites; and support for Extended Validation SSL Certificates that provides users with verified identity information (green bar) for websites”, he advises.
Extended Validation SSL is a version of traditional SSL certificates that requires more stringent investigation of the person or organization applying for it. Browsers that support this technology can provide more information about the certificate, and some, such as Internet Explorer, feature an address bar that turns green when a website has an EV certificate.
"Advances include a Protected Mode which helps prevent hackers from taking over a user’s browser and executing code" |
Jeff Wiliams, Microsoft |
Google also offers its safe browsing API, which it provides free to everyone and is, of course, included in Chrome. This service compresses and downloads the list of dangerous URLs to clients using the API, which Rakowski says provides additional security for users.
Increasing Security Through Education
The problem is that users are inherently uneducated, and often don’t seem to learn the most rudimentary lessons. A study produced three years ago by researchers at Harvard University and MIT delivered some disappointing findings. Sixty-seven users of a single bank were asked to perform a set of tasks on the bank’s online site. The sessions were rigged to provide an increasingly obvious set of signs that all was not well with the session. The HTTP security key was deliberately broken, site authentication images were removed, and a browser warning page said that there was a problem with its security certificate. Even after all these clues, more than half of the participants carried on with their session.
Even though the test was conducted too long ago to have taken anti-phishing browser bars into account, it still doesn’t bode well for users’ ability to take notice of visual cues. That said, another test carried out by usability research firm Tec-Ed took 384 users through both EV-enabled and non-EV-enabled fictitious shopping sites to test their awareness and acceptance of the technology.
The Tec-Ed results were a little more encouraging, but not much. For example, whereas 99% of users said they would be ‘most likely’ or ‘somewhat likely’ to enter their name and address information on an EV-enabled site, only 78% said they would be ‘most likely’ or ‘somewhat likely’ to do so on a site without an EV-enabled browsing bar. That’s a significant difference, but it still leaves almost eight in ten people not particularly affected by visual cues in the browser.
While the browser community continues to try and educate users about what green bars, SSL lock icons, and anti-phishing warnings actually mean, there are other challenges on the horizon. In particular, smart phones and mobile browsers will undoubtedly be a target for hackers in the future. Dag Olav Norem, VP of products for mobile and internet devices at Opera, argues that it is not a problem right now, however.
“The advantage of mobile is that it’s a much more complex environment”, he says. “Just as it’s difficult to write applications for mobile phones, because the operating systems are so fragmented, and they don’t have access to the same APIs, it’s difficult to write malware for mobile platforms.”
But how much of this comes down to a lack of interest on the part of malware writers? Until recently, the number of smart phones in the world was still relatively small, but the signs indicate their numbers are quickly growing. Market research company Telecom Trends International has predicted that the number of globally sold smart phones will outpace less sophisticated phones by 2015.
"Just as it’s difficult to write applications for mobile phones, because the operating systems are so fragmented, and they don’t have access to the same APIs, it’s difficult to write malware for mobile platforms" |
Dag Olav Norem |
Opera already offers Opera Mini, a version of its browser that operates on a server instead of on the client. It takes web content and renders it into a proprietary protocol before delivering it to a thin client on the mobile phone. Although this is a good way to minimize the threat to the phone user, it also restricts functionality. Flash movies, for example, will not play.
Internet Explorer may still be tops in the battle of the browsers, but other platforms are gaining more credence, and more market share. Thankfully, all of the popular browsers – including Safari, Opera, and Firefox – support extended validation, alongside other key safety features. The main challenge now is managing the security of plug-ins – and with browsers all relying on an extended community of plug-in developers, that may not be a challenge that we will see solved any time soon.