A patched browser - false feeling of security or a security utopia that actually exists?

A patched browser - false feeling of security or a security utopia that actually exists?

Summary: Kaspersky Lab's recently released "Global Web Browser Usage and Security Trends" report sparks several important questions from a security perspective.

SHARE:
TOPICS: Security
18

Kaspersky Lab's recently released "Global Web Browser Usage and Security Trends" report sparks several important questions from a security perspective:

  • Does the fact that (according to the study and third-party metrics services) Google's Chrome has the largest market share, make the Internet any safer?
  • Does it really matter if Chrome users get the latest updates delivered to them, in an attempt by Google Inc. to shorten the "window of opportunity" for a malicious attacker to take advantage of the security vulnerabilities that could be exploited in the old version of the browser?
  • Is Chrome the most secure browser on the market?
  • What's the current situational reality in respect to the most commonly used tactics by cybercriminals attempting to infect a targeted host, and is a version of a particular browser relevant to their practices?

Let's start from the basics.

Years ago, cybercriminals took advantage of the fact that, due to usability issues, browsers were basically shipped insecure by default in an attempt not to ruin the Web experience of the user. Back in the day, cybercriminals still relying on inefficient isolated exploitation attempts, could not achieve the "malicious economies of scale" evident across the entire cybercrime ecosystem in 2012, as far as client-side exploitation is concerned.

It all changed with the releases of the RootLauncher Kit, the WebAttacker Kit, MPack and IcePack, which revolutionized the systematic client-side exploitation of end points, shifting the attention of cybercriminals to the average Internet user still living in a "free adult content leads to viruses" world.

Although the shift towards client-side exploitation has been evident ever since the continues release of numerous Web malware exploitation kits throughout 2012, social engineering tactics continued to proliferate, potentially undermining the built-in security mechanism implemented in any browser. A socially engineered user will manually bypass any "security warning screen", or may even click further to get what he clicked for originally, even though he received a clear warning for the maliciousness of a site in question, through, for instance, Google's SafeBrowsing initiative. Which on the other hand mitigates a certain percentage of  the risk of getting exploited through client-side vulnerabilities, but as we've already seen in the latest version of the Black Hole Exploit Kit 2.0, cybercriminals are adapting to the process by cloaking the malicious content, and not displaying it to Google's crawlers.

Just how prevalent are social engineering driven attacks nowadays? According to Microsoft's Security Intelligence Report for 2011, the most popular malware propagation tactic is the one that requires user interaction. Although the report is emphasizing on the rather insignificant activity in client-side exploitation, it excludes the fact that over the past couple of years cybercriminals have been combining social engineering and client-side exploitation in an attempt to increase their visitor-to-malware-infected-victim rates.

Yet another important aspect of a browser's security that has the capability to bypass the built-in security mechanisms, are browser extensions. On numerous occasions we've seen successful campaigns relying on bogus browser extensions for Firefox and Chrome, which don't even attempt to exploit a particular browser specific vulnerability besides socially engineering the user. Although Google reacted to this trend in July 2012, social engineering attacks still remain possible. 

What are cybercriminals emphasizing on in 2012? Massive client-side exploitation, or social engineering driven malicious campaigns? Not surprisingly, on both. However, despite OS/Software specific Patch Tuesdays, cybercriminals don't tend to exploit zero day flaws, instead, they exploit outdated vulnerabilities in third-party applications and browser plugins, leaving a lot of users with fully patched browsers with a false feeling of security.

Are average Internet and corporate users actually patching their third-party applications and browser plugins in general? Not even close.

According to publicly obtainable data, patched vulnerabilities remain the primary exploitation vector for cybercriminals to take advantage of. During the time the data was gathered (2011), 37 percent of users browsing the Web with insecure Java versions and 56 percent of enterprise users using vulnerable Adobe Reader plugins, the majority of which were exploiting vulnerabilities in Adobe's products, followed by Sun's products.

Running Chrome due to its built-in secure by default sandboxing technologies, running Firefox due its compatibility with NoScript, running Internet Explorer due to is acclaimed invincibility to social engineering attacks, or running Opera or Safari due to their small market share making it -- theoretically and practically -- a less valuable target for cybercriminals to attack, only mitigates a certain percentage of the risk of getting infected with malware, and are only part of the Defense-in-Depth concept.

What do you think? Does a fully patched browser offer total security, or does it basically mitigate only a certain percentage of the risk? Which browser are you currently running? Is it the latest version? Do you feel secure with it, or is it giving you false feeling of security, and you know it? When was the last time you checked whether you're running the latest version of your browser plugins, and third-party software, or are you still obsessed with Patch Tuesdays as the corner stone of ensuring your security online?

TalkBack!

Find out more about Dancho Danchev at his LinkedIn profile.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

18 comments
Log in or register to join the discussion
  • Nothing's perfect, but that does not mean you give up.

    Nothing's perfect, but that does not mean you give up. It's widely recognized that security is a process, not a destination. Keeping your browser up to date is far better than letting it get out of date.

    I personally think it's entirely possible to become basically secure against non-targeted attacks. Follow some best practices, keep stuff up to date, etc. I personally have not seen an attack against my own personal systems, and I firmly believe it's because I pay attention to security.

    I don't think it's perfect, and I may see an attack someday, but it will be one time in many, many years if it happens.

    Software such as PSI and Ninite definitely help in this respect, as they allow me to keep things up to date that I'd normally have to manually check.
    CobraA1
  • No software is bullet-proof

    I keep ALL software as p-todate as possible, use good virus software, and an occasional sweep with a secondary one. Prefer FireFox/no-script/web of trust, Chromium/chrome, occassionaly use IE when needed. And I'm careful w/where I go, and what I do. I was last hit in '07, and I expect to get hit again, sometime. No system is immune. And we all screw up once in a while.
    Against that happening, all my machines are dual-boot, either linux/win. or multiple linux. Makes it a lot easier to download a fix, or run a sweep from the un-infected one. Same w/browsers. Always have at least 2 available.
    Weonly spend a small amount of time and money on protection. The Nasty B**t**ds spend a fair amont of money, and 40+ hr. a wk. at picking us off. It's their full-time job !!
    No matter how good you are, There is alway some-one a bit better, at least on a given day.
    Old Dog V
  • Excellent advice from the above comments

    I agree with the comments above, no system or software is perfect. I don’t believe that a fully patched browser offers total security but agree with the other commenters that it is far better than not patching it. What sites you visit, what search terms you enter into a search engine and how gullible you are to social engineering also play a large part in how vulnerable you are.
    I am using IE 10 Release Preview (Nov 2012) installed on Windows 7 64 bit SP1. I hope to upgrade to Windows 8 Pro 64 bit in the coming months. I have Enhanced Protected Mode of IE enabled, ActiveX filtering enabled and have a long list of Tracking Protection lists enabled. I also have Microsoft EMET v3.0 protecting IE 10. I am also browsing from within a limited user account. I spend 99% of my time in this account. It is extremely rare that I access my admin account. I simply use the UAC feature to allow admin access to installers of updates when necessary.

    The only browser add-ons I have installed are Adobe Flash Player 11.5.502.110 64 bit and Silverlight 5.1 64 bit. I only use these add-ons when I need to by letting them through the Enhanced Protected Mode and ActiveX filtering mode of IE 10 when I wish to view a video on a webpage or visit YouTube (the HTML 5 video of YouTube for me does not have audio, to get sound I need to enable Flash).

    I also have Google Chrome v24 (the Beta channel version) installed. I use this simply as an alternative browser should IE ever become corrupted or non-functional for some reason. It’s always good to have a backup. I have disabled all of the add-ons that I don’t use within Chrome and have not installed any additional add-ons in Chrome. I have automatic updates of Chrome enabled but also check manually once per day to ensure its update to date. Keeping Chrome up to date is very easy and the fact that it also updates its version of Flash player is even better.

    With all of the above security, I do feel secure but I don’t download non-trusted programs. Anything I download, I scan with my AV software and with the free version of Malwarebytes Anti-Malware. If I am still suspicious, I upload the file to VirusTotal and Virus Scan by Jotti ( http://virusscan.jotti.org/ ). My primary AV software update multiple times per hour automatically and includes an excellent firewall that never nags you since it “knows” via whitelisting if a program is legitimate or not. It also features IPS signatures. It has fully passed the ShieldsUP firewall penetration test.

    I check about 3 to 4 times per week that all of my browser plugins and 3rd party software is up to date. By checking this often, you are reducing the number of patches that you have to install at a time. I also install any Microsoft Security updates for Windows and Office 2010 as soon as possible .

    All of the above probably makes you think I am paranoid but I was infected by spyware (My Web Search) in late 2004 and even though I had "good" security (far from perfect), it wasn’t enough. This completely changed my attitude to security and I have not been infected since. Visiting security news websites such ZDNet, ComputerWorld, Dark Reading, Threatpost, H-Online and many others also keep me well informed about what threats are out there.

    I also believe that a certain level of security awareness and knowledge about what is and what is not expected behaviour on your PC can go a long way to bringing confidence when surfing websites or shopping online. I have heard of some people absolutely refusing to use online banking on a Windows PC since they don’t trust them. Instead they prefer to use a Linux Live CD:

    http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/

    While this is a great solution, to me, it shows that you don’t have the security and technical knowledge to have confidence in how secure your PC really is. If you are in this much doubt about the security of your own PC, you need to have a re-think of why you have such doubts and learn how to properly secure it.

    Thanks Dancho for your informative article about browser security. With some good security habits we can all benefit from increased security (I don’t expect everyone to use the many layers of security and pre-cautions that I do!).
    JimboC421
  • iPad browsers

    Is it possible for malicious code to install itself on iPads? Or are iPad browsers exempt from this discussion? btw, I don't mean social attacks...obviously people can be fooled to give up passwords, etc. I'm referring specifically to coding attacks.
    gdstark13
    • more

      If not, there's your solution.
      gdstark13
    • The iOS security model is a good one

      However, it's not a panacea. Remember this?

      http://www.zdnet.com/blog/security/apple-plugs-ios-security-holes-to-thwart-jailbreakme-com-exploit/9053

      What if the malware miscreants had discovered the [built-in] PDF Reader font vulnerability and crafted an exploit instead of the iOS jailbreak community? This was a drive-by, btw.

      While Apple was able to prohibit both Flash Player and Java on iOS, not so with PDF documents and readers. Lot's of gotchas with PDF. In addition, there's an Adobe PDF Reader app available for the iPad.
      Rabid Howler Monkey
      • thanks

        I wasn't aware of the drive-by exploit. I stand corrected.

        gary
        gdstark13
  • Is it safe?

    Generally speaking, the answer is 'No'.

    It doesn't matter which operating system or which browser one uses, the risk of attack by a zero-day exploit is always present.

    Yet, there are differences in how the 'security is a process' philosophy works with Microsoft Windows vs. alternative operating systems, such as Ubuntu Linux.

    In examining how Microsoft approaches security on Legacy Windows 8, one can see that vendors such as Google and Mozilla are left to bolster their browser applications with their own security methods.

    For example, Google Engineers have worked diligently to apply sandboxing technology to their Windows Chrome browser, in an effort to contain and limit escalation of zero-day exploits.

    But it only goes so far--Engineers at Google have expressed in clear documented terms the 'caveats' of working with Legacy Windows 8, which has vestages of WinNT kernel written for Windows 2000.

    Reading here the caveats set forth, Google Engineers wrote:

    h-t-t-p://dev.chromium.org/developers/design-documents/sandbox

    Other Caveats:

    The operating system might have bugs. Of interest are bugs in the Windows API that allow the bypass of the regular security checks. If such a bug exists, malware will be able to bypass the sandbox restrictions and broker policy and possibly compromise the computer.

    Under Windows, there is no practical way to prevent code in the sandbox from calling a system service.

    In addition, third party software, particularly anti-malware solutions, can create new attack vectors. The most troublesome are applications that inject dlls in order to enable some (usually unwanted) capability. These dlls will also get injected in the sandbox process. In the best case they will malfunction, and in the worst case can create backdoors to other processes or to the file system itself, enabling specially crafted malware to escape the sandbox.

    ----------------
    So, you can see that with Legacy Windows, try as they might, Google Engineers cannot guarantee there will not be a successful zero-day exploit that injects a DLL and gains unimpeded SYSTEM privilege level. At this point, the system is owned by the exploit writer.

    Unlike Legacy Windows, Ubuntu Linux employs a built-in feature of the Linux kernel, 'Linux Security Modules' (LSM) and is by default running AppArmor, one of several LSMs available for installation.

    LSM, works in such a way to enforce an API 'hook' to the kernel which so causes 'the application', when making a SYSTEM call to 'defer' to the API hook for approval by LSM. LSM determines from its own profile the mapped 'allowed' behaviors of the App and either 'ALLOW's or 'DENY'ies the process id.

    This effectively means, that, unlike the unimpeded Windows expoit, LSM is standing in the way of any activity taken by the Application and, this is the important distinction, THE KERNEL.

    This is illustrative of the fact that the designers of Linux assume responsibility for parts of the 'security is a process' that Microsoft Windows Legacy does not. Microsoft imposes that responsibility on the third-party developers, which in my opinion is wrong.

    So, when it comes down to what happens at exploit time, with Windows Legacy, it's a roll of the dice. With Ubuntu Linux running LSM, you can be assured your profiled Application will NEVER have a zero-day exploit get a toe hold on your system. LSM will kill the rogue process id on the spot.

    You are safe with Ubuntu Linux and LSM.

    Ubuntu Linux, the safest operating system on the Planet.

    I stake my reputation on it.

    Thanks Dancho :)
    Dietrich T. Schmitz + Your Linux Advocate
    • I have seen exactly zero

      zero desktop Linux installation with LSM on them. The default installation doesn't offer it so much for user friendly way for joe users to use it, let alone profiling applications.

      And for those who think browser on Linux can't be exploited, think again:
      http://www.infosecurity-magazine.com/view/29430/new-linux-rootkit-delivering-driveby-infections-discovered/
      Samic
      • RE: "I have seen exactly zero zero desktop Linux installation with LSM

        The current top 5 desktop Linux distros at distrowatch.com ship with LSM enabled (AppArmor, SELinux or Tomoyo). However, the default web browser is not protected by default on any of them.

        Most desktop Linux users wanting a sandboxed web browser will install either the Google Chrome or open-source Chromium web browser (both are sandboxed via a hardened chroot jail). No CLI necessary.

        As for the Linux rootkit, it is designed to attack Linux nginx webservers and serve iFrame exploits to Windows desktops.
        Rabid Howler Monkey
    • Some false claims . . .

      "Under Windows, there is no practical way to prevent code in the sandbox from calling a system service."

      Define "practical." Last I checked, they'd have to bypass both Chrome's sandbox and several layers of security that Windows provides. It's quite a task to get through every layer.

      "Of interest are bugs in the Windows API that allow the bypass of the regular security checks."

      Mostly theoretical at this point, as they're doing a good job of patching the known bugs.

      "LSM, works in such a way to enforce an API 'hook' to the kernel which so causes 'the application', when making a SYSTEM call to 'defer' to the API hook for approval by LSM."

      Yeah, that's pretty much how security tokens work in Windows. Similar concepts, different implementations. Maybe you should do some research into the Windows security model, hmm?

      "This effectively means, that, unlike the unimpeded Windows expoit, LSM is standing in the way of any activity taken by the Application and, this is the important distinction, THE KERNEL."

      Unless there's an exploit in the LSM itself.

      No, applications in Windows do not have the unrestricted access to the kernel you claim they do. That's a rather absurd claim.
      CobraA1
    • Completely safe?

      Dietrich, thanks for increasing my confidence in Ubuntu, the operating system I use. Being somewhat paranoid about vulnerabilities having seen so many of my friends and associates PCs compromised I run my PC as follows:
      Host Ubuntu that never networks directly, VirtualBox, guest Ubuntu for networking that gets restored from a fresh installation each time.
      Perhaps I'm somewhat paranoid but perhaps I have a completely save guest Ubuntu.
      Comments?
      a foot in both camps
      • Safer

        Qubes OS.
        Rabid Howler Monkey
  • Agree!

    Just a great argument, Dietrich Schmitz. Thank you.
    Gonzalo_VC
    • Not really . . .

      Not really - he's throwing around some absurd idea that Windows somehow allows for free reign on the kernel, which is certainly not true.
      CobraA1
      • Agreed

        CobraA1 is right. Windows applications run in user mode, while drivers and system services run in kernel mode.

        http://msdn.microsoft.com/en-us/library/windows/hardware/ff554836(v=vs.85).aspx

        Windows also uses integrity levels so that processes with lower integrity cannot modify processes with higher integrity. Windows 8 introduced the integrity level of AppContainer for IE 10 with Enhanced Protected Mode enabled.

        http://blogs.msdn.com/b/ieinternals/archive/2012/03/23/understanding-ie10-enhanced-protected-mode-network-security-addons-cookies-metro-desktop.aspx

        By the way, I am NOT saying that Linux is inferior to Windows in terms of security but free access to the kernel is simply not true (especially with PatchGuard on 64 bit systems).

        http://blogs.msdn.com/b/windowsvistasecurity/archive/2006/08/11/695993.aspx

        And yes, I am aware that there are methods used to bypass PatchGuard.

        Thanks.
        JimboC421
  • Securty in general

    However safe browser and operating system with the latest patches - the most important bug sits between the keyboard and chair.
    Till there are some people bypassing or switching off the security functions just to see some pages or they do believe the phished pages not checking the links in browser's address line - then they have no right to be surprised by attack and feel offended.
    And in case of the sober minority of users - we are forced to show symptoms of some kind of psychic disorder trying to keep our sensitive information safe.

    Thanks for the article - perfectly chosen topic, very well covered isuue and also the comments below give wider information.

    Tom
    Tomaseq
  • Secure Browsers

    if people want to prevent malware-infections, i think that using high security-settings with their browser is critical.. i use "firefox" with the "noscript" addon and, with the "noscript" addon, i believe that it is secure.. if one uses high security-settings with IE, i believe that it is just as secure as "firefox", with the "noscript" addon.. i have heard that google's "chrome" allows for using high security-settings, but i am not familiar with google's "chrome" or its settings-options..
    redwolfe_98