Microsoft Internet Explorer, Google Chrome and Mozilla Firefox, the three most popular browsers on the market, saw a slight increase in browser vulnerabilities in 2011, but few cybercriminals are creating Web browser attacks targeting the flaws, according to a new report from IBM’s X-Force threat research team.
Although more browser vulnerabilities are being reported, we’re seeing fewer exploits getting written and released because it’s harder to accomplish.
Tom Cross, manager of threat intelligence and security, IBM X-Force
Browser architectural changes that support new security capabilities are forcing attackers to target embedded components, rather than the browser itself, said Tom Cross, manager of threat intelligence and security on IBM’s X-Force team. Address space layout randomization (ASLR) and data execution prevention (DEP), two technologies that provide memory and address space code execution protection, along with sandboxing, which traps code from escaping to more critical processes, have made it difficult for attackers to target browser flaws with highly automated, widespread methods, Cross said.
“All these things are combining to make browser exploitation significantly more difficult or impossible,” Cross said. “Although more browser vulnerabilities are being reported, we’re seeing fewer exploits getting written and released because it’s harder to accomplish.”
Drive-by attacks targeting browser flaws were down significantly in 2011, as attacks moved to targeting third-party browser plug-ins, according to IBM’s 2011 X-Force Trend and Risk Report. The number of exploits released for browser vulnerabilities peaked at more than 200 in 2007, and the steady decline continued in 2011, with fewer than 100 documented public exploits, lower than any year since 2006, the IBM researchers found.
Web Browser Attacks
The WebKit framework suffers from several vulnerabilities that can be exploited to conduct Web browser attacks. Expert Michael Cobb discusses the risk.
Third-party browser extensions like toolbars can jeopardize client security.
Cross said researchers have demonstrated weaknesses in the new security capabilities, but creating an exploit to target the weaknesses is too time consuming and costly for most cybercriminals, who tend to gravitate to low-hanging fruit. Attacks that are favored are less sophisticated and can be automated in exploit toolkits, he said.
Attacks targeting embedded multimedia players are becoming more favored, the report said. Cross said enterprises should ensure embedded browser components receive patches or are completely disabled in high-security environments. Microsoft ActiveX and Apple QuickTime are commonly targeted by attackers. HTML 5, which is becoming more commonly used to create rich applications, also increases the browser’s attack surface.
The IBM report also found a decreasing number of disclosed Web application vulnerabilities. Web application flaws made up approximately 41% of all vulnerability disclosures in 2011, a decline of 8% from 2010. SQL injection flaws also declined by 46% in 2011, but IBM stresses that automated tools make SQL injection attacks easy for financially motivated cybercriminals looking to build out botnets.
In addition to SQL injection, IBM documented increases in Secure Shell service (SSH) brute forcing and Shell command injection activity, Cross said. Shell command injection flaws, which enable attackers to execute code on a Web server, can be addressed if coders properly sanitized their functions, Cross said. Flaws open to SSH brute force password attacks are also serious, because simple automated programs can attempt password attacks on a large scale, attempting to use the same username and password combination on thousands of systems. Meanwhile, cross-site scripting has been popular since the 1990’s and it’s the most common type of Web application vulnerability.
“It takes time, but a lot of progress has been made improving the quality of code that has been produced; developers are getting more conscientious about these things,” Cross said. “But Shell command injection attacks are taking off because people are auditing for SQL injection, not Shell command injection.”
The decrease in Web application flaws has contributed to the decline in the number of Web application exploits in 2011, according to the report. For the past few years the percentage of vulnerabilities with public exploits has hovered around 15%, but in 2011 it was 11%.