Web Browser Security

What you don’t know about Web browser security can hurt you

Web browsers have become ubiquitous in the business environment, residing on the desktop of every user throughout the enterprise.  However, even the most vigilant security professionals can underestimate the extent to which Web browsers can be exploited.  Security professionals have long known of the need to patch their browsers.  However, beyond the basic routine of patching and adjusting security zone settings in the browser, there is a much more sinister reality. 

Historically, Web site security began simply as just adding password-protection to a few pages.  As Web site security morphed into Web application security, the concern for security shifted to how to get the Web application past security restrictions that may hinder it communicating with backend databases.  The discovery of the first Web browser vulnerabilities changed the game.  Once hackers found Web browser vulnerabilities, they started breaking the browser.  Web browser developers were left scrambling to patch the browser vulnerabilities, while security teams and the public frequently never got around to applying the patches.  Breaking the browser has now grown from a sport among a small hacker community, to a profit-driven activity by malicious hackers sometimes linked to organized crime.  

High profile malicious attacks using cross site scripting, redirection and SQL injection underline the new reality in which security for Web applications is intertwined with browser vulnerabilities.  However, very little is being done by many businesses to acknowledge the mounting evidence that Web browser vulnerabilities will continue to be a threat to businesses.  This is even truer since security for Web applications designed for business often do not take the security limitations of the Web browser itself seriously into consideration.   Mr. Abraham and Mr. Los set out to prove this through extensive research into the linkages between security for Web applications, and Web browser vulnerabilities.  They recently used a series of compelling demonstrations to come to illustrate their devastating conclusion; when it comes to Web security, the Web browser is broken. Senior IT Security Officers in the audience were forced to sit up in their seats and take notice after one particular click-jacking demo, using both transparent and non-transparent iframes, convincingly illustrated how the Web browser easily succumbed to the attack.  The goal of this research is to catalyze a sense of urgency among IT security teams to deal with the risks posed by woefully inadequate Web browser security, and to provide businesses with the impetus to implement security programs that address Web browser security risks.

Understanding the threat

The world now relies on extensively intertwined Web sites, Web applications, Web services and Rich Internet Applications, all running on the Web browser.  This Web ecosystem now links functions that touch every facet of business life, from simple questionnaire Web forms, to mission-critical financial portal applications.  This interconnected online reality now poses a serious enterprise security challenge.  Security professionals must meet this challenge first by understanding the threat, and then by taking action to protect their IT environment systems to mitigate these threats.  

The researchers categorized the four attack vectors used to exploit weaknesses in Web browsers as:

1. Traditional browser-based attacks
   Browser-based attacks are exploits that use the browser as a platform to launch the attack, but do not seek to damage the browser itself.  These attacks use weaknesses in the basic architecture of Web browsers, together with weaknesses in Web applications that run on the Web browser.  The primary examples are cross site scripting and redirection vulnerabilities.
2. Attacks against the Web browser
   Web browser weaknesses continue to be attacked, in spite of on-going patches provided by the developers of those Web browsers.   The researchers demonstrated script exploits described in Microsoft Security Bulletin MS09-002, as well as what Metasploit catalogs as the XML_corruption vulnerability. The researchers found that both vulnerabilities can be leveraged to gain remote access to client systems if system administrators do not apply patches in a timely manner.
   • MS09-002 Browser Exploitation Frameword(BeEF)
   • XML Corruption Demo
3. Attacks against plug-ins within the Web browser
   Plug-ins attacks are becoming more prevalent, and have become a very effective attack vector. The Browser Exploitation Framework (BeEF) was used to demonstrate the ability to detect plug-ins installed within the Web browser.  The researchers were also able to demonstrate numerous attacks that leveraged plug-ins to gain remote access to client systems. 
   • Detecting Plug-ins Browser Exploitation Frameword(BeEF) Demo
   • Adobe Printf Vulnerability Demo
   • Java Applet Demo
   • Keystroke Logger Demo
4. Attacks against the Web standard
   The demonstration that made seasoned IT professionals gasp at the InfoSec conference was the exploit of the click-jacking design flaw, using both transparent and non-transparent iframes.  What makes click-jacking possible is the exploit of the basic World Wide Web Consortium (W3C) HTML 4 and HTML 5 standards. 
   • Clickjacking Demo

Reconciling functionality, user experience and security

Researchers demonstrated that the deadly impact of browser exploits through remote access attacks cannot be ignored, particularly given that the attacks can be done either individually or in combination.  Ever more aggressive malicious exploits have surfaced in the last five years, and the frequency of attack is accelerating.  In spite of the threat, the W3C is either unable or unwilling to change the HTML standards to harden it against attack.  That leaves businesses and software programmers to work together to face the threat of malicious Web exploits.  The demand for Web applications to morph into Rich Internet Applications (RIAs) that rely on Asynchronous JavaScript and XML (AJAX), Adobe AIR, ActionScript and other client-side scripting to extend Web browser functionality has outstripped the demand for network security.  Functionality and user experiences driven by new slick RIAs have left security out of the picture.  However, now that these applications are holding onto sensitive private data while also using plug-ins that provide direct access into corporate production systems without even as much as a sandbox sanity check, the security risk of RIAs can no longer be ignored.

Protecting your enterprise

The researchers identified three fundamental changes that need to be made in order to deal with the threat posed by security weaknesses found in Web browsers.

3 things you can do to protect your network from Web browser attacks

1. Enforce comprehensive yet actionable Web application design standards that include security.  Web application design standards are either missing from most software development environments, or are so cumbersome and complex that designers ignore the standard.  The result is that security is not incorporated in final designs of either Web applications or Rich Internet Applications. Enforcing rigorous Web standards and comprehensive testing of software before it goes into production is essential to close this gap.
2. Implement an enterprise-wide vulnerability management program.  It is critical to have a rigorously enforced way of keeping patches throughout the system up to date, from firewalls all the way down to desktop Web browsers.    Web application security and Web browser security is intertwined.  By committing to an enterprise-wide vulnerability management program, organizations can have a reliable combination of processes and tools they can use to be vigilant about keeping Web browser vulnerability patches up-to-date.
3. Support staff through a security awareness program. Showing staff how to work securely in the new Web reality is essential.  If a comprehensive program is not possible right away, then start with a small program focused on high risk groups.  For example, executives tend to be particularly prone to being attacked, so start with training for executives to help this highly connected group to keep their private data secure so they can protect corporate assets from being exploited by malicious hackers.  Supplement initial training with on-going reinforcement through monthly security awareness programs so that staff retain the skills they need to reduce their risk of falling victim to Web browser exploits
   

Rapid7 Security Consulting Services performs Web Application Security Audits.  Our security experts have extensive experience in helping businesses identify vulnerabilities and create remediation plans to improve Web browser security, Web application security and Rich Internet Application (RIA) security.

Contact us to learn more about how to implement Web browser security best practices.