Browsing for an attack

While vulnerabilities in Web browsers are unlikely to disappear in the future, this does not mean surfing the Internet can't be a secure experience.

Online users now have to grapple with a growing number of security vulnerabilities found not only in Microsoft Internet Explorer, but also in other Web browsers including Opera and open-source Firefox. However, industry experts say surfing the Web can still be a secure activity.

Microsoft Internet Explorer (IE) users plagued by security woes initially saw Mozilla's Firefox browser as the more secure alternative. But the open-source browser is now facing security issues, which have culminated into a diagnosis from security vendor Symantec that decreed it has double the vulnerabilities found in IE.

Now past its 100 millionth download, Firefox has come under fire in recent months for its security flaws. In its Internet Security Threat Report (ISTR), released in September this year, Symantec noted that the popular Mozilla browser had 25 vendor-confirmed bugs in the first six months of the year, as opposed to IE's 13.

Of the 25, 72 percent of Firefox's flaws were rated as "high severity", an increase from the 14 "most severe" flaws discovered over the same period in 2004. In contrast, IE's total of 13 bugs, eight of which were flagged "high severity", marks a decrease from the 31 that were discovered last year.

"Safeness doesn't have to do with the number of vulnerabilities. Many announced vulnerabilities probably won't make malware writers excited."
-- Jimmy Kuo
McAfee's AVERT research fellow

Even Opera, one of the smaller players in the browser space, has not been spared. In June this year, two months after the release of Opera 8, the Norwegian company updated its browser to fix a handful of security flaws which could have been exploited by phishers and other attackers to create spoof sites.

Can browsing be safe?
With the proliferation of loopholes found in Web browsers, has the phrase "secure browser" all but disappeared from the lexicon?

Jimmy Kuo, research fellow with McAfee's Anti-Virus Emergency Response Team (AVERT), said it would be a mistake to equate security with the number of vulnerabilities discovered.

"Safeness doesn't have to do with the number of vulnerabilities," he said. "It only takes the 'right' one to make it worthwhile to attack. Many announced vulnerabilities probably won't make malware writers excited."

Dean Turner, executive editor of Symantec's Internet Security Threat Report One, reasoned that vulnerabilities in Web browsers are frequently highlighted these days because browsers are seen as an "attractive entry point into the host system".

"Increasingly, attackers are shifting their focus away from network perimeters as a way into the network and toward individual client side applications such as Web browsers," Turned explained. "Due to widespread deployment and the fact that most networks allow HTTP (Web) traffic into their networks, attackers are searching for the path of least resistance."

Charles Cousins, Asia managing director of Sophos Anti-Virus, noted that as software applications go, no one software can ever be perfect. Given that Web browsers are used by virtually every computer user, it is inevitable that hackers would zero in on them, he said.

"All software have flaws, and hackers will exploit security holes in commonly used applications," Cousins added. "Browsers are an obvious application to target as they read data from third-party Web sites which can be constructed to include malicious code."

Microsoft has also acknowledged that hackers target widely-used software, and is facing problems resolving it.

In its most recent Form 10K filing to the U.S. Securities and Exchange Commission, the software giant stated that hackers have tended to "focus their efforts" on Microsoft's Windows operating system (OS) and applications. The company noted that security vulnerabilities could dent its revenues, as well as lead to potential litigation troubles.

"It is reasonable to speculate that as Web browsers become more prevalent, more attention will be focused on their vulnerabilities."
-- Dean Turner
executive editor, Symantec's Internet Security Threat Report One

In addition, "actual or perceived security vulnerabilities in (its) products could lead some customers to seek to return products, to reduce or delay future purchases, or to use competitive products", and that these security issues could "lead to claims" against the company, Microsoft stated.

According to Symantec's Turner, the majority of flaws found in Web browsers are caused by "logic errors in the browser security model".

"These vulnerabilities are usually exposed in how the browser handles client-side scripting and other dynamic content," he explained. "(They) often are a failure of the browser to properly sandbox its scripting capabilities from the OS or properly delineating boundaries between Web sites in different domains."

Much of the increase in the total volume of vulnerabilities during this period, said Turner, is also due to the substantial rise of vulnerabilities in Web application. Symantec's most recent ISTR found that 1,100 of all documented vulnerabilities, or 59 percent, were found in Web application technologies during the first six months of 2005. This is a 59 percent increase over the 694 vulnerabilities uncovered in Web applications over the same period a year ago.

Said Turner: "With the increased deployment of Web applications and use of browsers as client interfaces, it is reasonable to speculate that as Web browsers become more prevalent, more attention will be focused on their vulnerabilities."

But businesses need not lose sleep deciding which Web browser is safer to deploy. While it is likely that more vulnerabilities will be highlighted in future, this trend does not necessarily mean that browsers are getting more unsafe.

McAfee's Kuo pointed out that the bugs that have been brought to light are not the only ones that exist in the browser, merely those that have been discovered.

"Sure, there will be more. The bugs are either already there or not. It's a matter of when a particular bug is discovered and then publicized. More so the latter than the former," said Kuo.

Browsing safely
Enterprises can make surfing the Internet a safe experience by taking certain steps to beef up their overall security defenses.

For starters, enterprises need to have a security policy in place that educates users about secure browsing habits, and ensure only authorized applications are deployed on client systems, said Turner.

Companies should extend their security strategy to include deploying security tools such as firewalls and intrusion detection systems, on individual client machines and beyond traditional measures that are implemented at the network perimeters, he added.

Enterprises must also ensure that antivirus definitions are updated regularly, and that they apply OS-related patches as they become available, Turner said.

Kuo strongly advocated the use of whitelisting, where enterprises control the type of Web sites their employees visit. He also suggests that enterprises implement buffer overflow protection.

"It is not just about surfing," said Kuo. "E-mail could contain the same vulnerabilities. Remember, many IE vulnerabilities also exist in an e-mail product because it's fundamental to the OS. And buffer overflows are generic, and also the most dangerous."