Articles by Mathieu Lafon

It’s now widely recognized that the browser is one of the leading weaknesses in the enterprise information security environment, increasingly under attack as criminals race to develop exploits for each new vulnerability faster than the browser vendors can patch the problem.

But the problem isn’t limited to the browser itself. The browser hosts mutliple add-ons and helper applications in an extremely complex runtime environment to offer the user seamless access to rich media content (PDF, webex, video streaming and so on). These add-on programs have (naturally) their own vulnerabilities. Adobe and Oracle issue frequent updates for their leading browser add-ons, Adobe Acrobat Reader, Adobe Flash Player, and Java. Recently, Microsoft announced that MMPC (Microsoft Malware Protection Center) had blocked over 6 million Java attacks in a single quarter. The problem for the enterprise is that any one of these updates may render the browser environment incompatible with business-critical applications – and it may be practically impossible to back out of the update. To avoid this situation many enterprises now freeze end-user deployments with a specific, tested Java release or service pack level of Microsoft’s Internet Explorer despite the security risks of not running the latest updates.

The winners, in this situation, are the security software vendors, continuously developing new solutions to install on the end-point platform (antivirus, antispyware, anti-malware…), each one slowing the PC down a little more, and mostly incapable of preventing an attack launched against the latest 0-day vulnerability. One way of resolving the problem would be to deploy a separate machine for each application, on every user’s desktop; isolated and correctly configured, security and performance could be optimized — for a certain cost. Fortunately for the bottom line, there’s the Virtual Browser solution.

Version 2.1 of the Virtual Browser solution is now available. Among the many enhancements, we’re particularly proud of the work we’ve done to improve the way video streaming is handled (already discussed here), with automatic detection of embedded video and data compression optimized in real time. The problem with video is that when page rendering is taking place remotely rather than on the user’s system, the fluidity and continuity of real-time elements such as video can suffer. It’s important to us that the end-user experience of increasingly dynamic web sites and applications is identical whether they are using Virtual Browser or a classic locally-installed and executing web browser, so we chose to invest significant R&D efforts in the development of new techniques to deliver a superior video delivery mechanism for the Virtual Browser client. Not only have we achieved our objective with release 2.1, we’ve also dramatically reduced bandwidth requirements, by up to a factor of 10 for certain types of streaming. This is a key breakthrough in its own right as with the rapid uptake of the Apple iPad - a Virtual Browser iPad client has also been released - the number of users on 3G networks is set to accelerate. With Virtual Browser, any web application, including Flash-based applications and those supported only in IE, is accessible from any end-point device - including Apple’s.

Other new features in version 2.1 include support for VNC, complementing the already supported Citrix and TSE remote desktop environments. With this technology Virtual Browser can be deployed as a universal telecommute/mobile office environment, delivering remote access to the corporate intranet, web services, virtual desktop environments and even physical desktop systems.

Version 2.1 also offers new levels of flexibility in user interface management. A key feature of the Virtual Browser architecture is that the rendering engine and user interface are separate entities. This means the system administrator can decide what look-and-feel is presented to the user independently of the underlying browser technology and plugins.  For example, with version 2.1 the user can be presented with an Internet Explorer-like user interface while the Virtual Browser appliance is in fact executing Firefox. In the enterprise environment where the slightest change to an application UI can impact productivity as ingrained users habits are challenged, this feature can greatly facilitate application updates and migration while limiting the impact on the end-user population.

During the summer a section of the R&D team was tasked with taking a closer look at video support in Virtual Browser.

Up to now Virtual Browser (like most remote display/desktop technologies) managed video display by sequentially transfering a series of static images from the server to the client, a process which consumes an excessive amount of bandwidth, puts an excessive load on the server, and delivers a frequently unsatisfactory result for the end user (jerky films, interruptions, and the like).

This wasn’t very satisfactory for us either. We attach a lot of importance to the user experience, so we decided to take a closer look at the problem of streaming and remote display technology. Thibault, one of our R&D engineers, analyzed the situation in depth, leading to us developing and implementing two modifications to our solution which will have a significant positive impact on user of experience of video streaming:

• Dynamic selection of lossy or lossless image compression algorithms according to the image type detected (photo/graphic, static/dynamic).
• On-the-fly identification of dynamic zones (especially videos) and the generation of an MPEG streaming channel to optimise transfer, instead of transfering sequential static images.

These changes are currently under test, and we expect to roll them out with release 2.1 at the end of the month.

Malware researchers at McAfee Labs, the research division of McAfee, have just published their annual report “2010 Threat Predictions”. The browser, unsurprisingly, continues to be the principal vector for attacks, according to the report; the news is that social networking sites are fast becoming the main source of threats. One simple example: the popularity of URI shorthands (bit.ly, tinurl.com) to save characters in Twitter makes it easy to get even the most aware user to click on a “poisoned” link which may download malware or launch a cross-site attack.

The McAfee report also discusses the recent growth in exploits taking advantage of vulnerabilities in helper applications and browser plug-ins such as Adobe Acrobat and Flash. And they highlight the risk of HTML 5.0 “blurring and removing the lines between a web application and a desktop application”. The need for the enterprise to isolate different web usages based on security policies will become increasingly urgent in 2010.

Hot on the heels of Virtual Browser version 1.2, version 1.3 is now ready for release. Why are we introducing two versions at so close together? Well, it’s part of an ambitious product roadmap which leads up to a full rollover to version 2.0 during Q1 2010. Regular intermediate releases help keep us focused, while fulfilling customer and partner expectations in terms of fast time-to-market for new features and functionality.

Virtual Browser release 1.3 delivers support for transparent authentication modes so that, for example, user authentication for Virtual Browser sessions can be based on Windows logon credentials. On the server side, Virtual Browser can now integrate ICA and RDP clients, opening up a whole new range of possibilities for enterprise deployments.

Looking ahead, the objective is to position Virtual Browser as the universal client for the Cloud Computing era. For the enterprise moving to Cloud-based solutions, Virtual Browser offers a single, centralized point of control for multi-platform access to any web-enabled or virtualized application, wherever it’s hosted. By integrating support for ICA and RDP clients on the Virtual Browser server, end users can access web applications and Citrix or TSE applications through a single, secure, multiplatform browser interface.

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

Just a month after the release of version 1.1, version 1.2 of the Virtual Browser server component is ready for deployment.

The latest release offers improved performance, but more importantly for enterprise deployments multi-server support means that high availability and load balancing features are now available. It’s also possible to configure individual web sessions so that they are isolated on separate physical servers, optimizing network topologies and performance and further reinforcing application security.

Eagerly awaited by our most demanding users, these new features guarantee continuity of service for Virtual Browser end-users independently of the failsafe mechanisms offered by the underlying platform (the Virtual Browser server is designed for installation in VMware environment), while also improving scalability, optimizing performance when very large numbers of sessions are open simultaneously.

Version 1.1 of the Virtual Browser solution enhances the product with new features facilitating seamless integration with the enterprise infrastructure:

• Strong authentication based on X.509 certificates increases protection for the enterprise and reduces the risk of security being breached by simple password theft from a compromised terminal.
• Role-based administrator access ensure that each admin only has the authority to execute authorised tasks (eg configuration, monitoring, etc).
• An IE6 rendering engine provides support for older web-based applications, incompatible with more recent browsers.
• Virtual Browser client installations are now available for Apple Macintosh OSX and Linux platforms, in addition to the Microsoft Windows client.

Additional minor modifications have been made to improve performance and ease of use, so that Virtual Browser remains the best solution for secure web access in the enterprise.

The fourth 0-day vulnerability (after this one and these) in only two weeks has just appeared and it is targeting one of the most used plugins: the Flash Player from Adobe which is used to make web sites visually appealing, to watch videos on YouTube, to play online games, …

What do we face:

• A critical vulnerability in the Flash player (at least in version 9 and 10) which can be exploited from all browsers and OS when accessing a compromised website (drive-by attack) or when viewing a malicious PDF using Adobe Acrobat Reader ;
• Both exploitation methods have already been seen in the wild ;
• No mitigation methods except removing the Flash player or some of its components ;
• Javascript desactivation will not protect against all kind of exploitation ;
• Adobe will not release security updates until July 30.

What do you do ?

Most of the browsers are impacted by security issues in early July.

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…