Published: 02 Apr 2009
Many security vendors have sung the same tune over the last couple of years: the browser is not only vulnerable, it's the front line of most cyberattacks. That message couldn't have been any clearer at this year's CanSecWest conference.
Two researchers easily exploited zero-day flaws earning themselves thousands of dollars in prize money during a contest sponsored by TippingPoint's Zero-Day Initiative. It took the two young white-hat hackers only a few hours to uncover four critical vulnerabilities and break into systems running Apple Safari, Microsoft's newly released Internet Explorer 8 and Mozilla Firefox.
"It's a game of cat-and-mouse and it's going to continue to be a game of cat-and-mouse no matter how many security features are put in," says John Strand, a senior security researcher with Black Hills Information Security.
Just a day after one of the two hackers cracked a zero-day flaw in Internet Explorer 8, Microsoft released the browser to the public-- flaw and all. But security experts praised the new browser for its new cross-site scripting (XSS) filter that automatically disables XSS attacks when they're detected. An anti-clickjacking feature prevents users from clicking a hidden Web element. A SmartScreen filter was redesigned to make it more difficult for users to click through to a malicious Web page.
Security experts also lauded more technical security features. A data execution prevention feature in IE 7 is now enabled by default. Data-execution prevention makes it more difficult for attackers to run code in memory that is marked non-executable. It's partially what has made Windows Vista difficult for hackers to exploit.
But all the security features in the world won't block the social engineering methods used by attackers to exploit browser flaws and Web application errors. Tools are available for companies using Flash, AJAX and Java-based Web applications to test for coding errors that could lead to browser exploits. But the holes continue to exist, and the tools won't keep the user in check.
"End users are going to continue to click on malicious links and browse to Web pages hosting malware," says Matt Watchinski, director of vulnerability research at Sourcefire. "You can't eliminate the human factor."
And the human factor applies to software developers, too.
Boaz Gelbord, executive director of information security at Wireless Generation heads a project for the Open Web Application Security Project (OWASP) that is researching company spending on software development projects. A recent survey conducted by the project found that 61 percent of respondents had an independent third-party security review of software code to find flaws before Web applications are used live. Gelbord says the predominant thinking has been that companies are conducting code review in-house if they're even doing it at all.
"The approach that companies are taking is to have security developers with some security training looking out for major flaws," Gelbord says. "They're bringing in third parties who really have expertise to look for more difficult to find vulnerabilities."
Even with experts crunching code for errors, issues will remain. The CanSecWest conference not only demonstrated that browsers are on the front line, it showed that hackers will find a way in not matter how many security controls are in place. With the release of IE 8, Microsoft demonstrated how a browser maker can mitigate the risk of an attack to a more manageable acceptance level. But the human factor will always remain.