At the Hacker Halted conference in Atlanta, security researchers Xiaoran Wang and Angelo Prado demonstrated on Thursday some weaknesses in the major browsers in use today, including Chrome and Internet Explorer. The conference, which was organized by the EC-Council Foundation, included two days of presentations from dozens of security experts.
Wang and Prado's presentation featured demonstrations of a number of different tactics hackers could use to compromise victims. Perhaps the most problematic of the methods they discussed involved abusing the data URI scheme, which offers a way to include data in-line in webpages as if they were external resources. The data URI scheme allows normally separate elements to be fetched in a single HTTP request as opposed to multiple requests.
While this has its advantages, Wang told the audience that it could also be used to infect users.
"We can basically do a whole HTML page embedded in this redirect page of the data URI, and it will look exactly like the page it was before."Xiaoran Wang
"I would say using data URI plus the HTML5 "download" feature to create ghost malware is the both the easiest and most damaging [tactic demonstrated], because that will drop a malware to the user's computer automatically and there is no way to trace back where the malware is hosted on," Wang explained after the presentation. "This is especially damaging for enterprises who tries to block malicious URLs and domain, but it's pretty much impossible for them to do that because the ghost malware is hosted nowhere. This would be true for forensic investigation as well where it is very hard to trace back the original source of the malware distribution."
Another serious issue they revealed involved multiple methods of bypassing the cross-site scripting filter in the Internet Explorer and Chrome browsers.
"At a high-level basically we found a couple different ways in different contexts by which you can inject a malicious payload with Google Chrome as well as Internet Explorer," explained Prado after the conference. "Literally at that point you can inject malicious JavaScript."
The researchers, who both work for Salesforce, also demonstrated history-stealing attacks, how to take advantage of HTML5's "drag and drop" feature and other tactics. These tactics are not exploits per se, but they are issues that can be chained together as part of an attack, Prado said.
None of the vulnerabilities are zero-days, Wang explained after the presentation, because they are all design-level flaws as opposed to specific vulnerabilities that would lead to a direct attack on the user automatically. All of the weaknesses, he added, are basically about deception - while users expect one thing, the browser delivers another.
"That's where the weaknesses come from, and that's where we would like to remind browser vendors to design features that are always up to user's expectation, and protect users from everything malicious on the Internet as a last defense," he told Infosecurity Magazine.