Articles by Mathieu Lafon

Malware researchers at McAfee Labs, the research division of McAfee, have just published their annual report “2010 Threat Predictions”. The browser, unsurprisingly, continues to be the principal vector for attacks, according to the report; the news is that social networking sites are fast becoming the main source of threats. One simple example: the popularity of URI shorthands (bit.ly, tinurl.com) to save characters in Twitter makes it easy to get even the most aware user to click on a “poisoned” link which may download malware or launch a cross-site attack.

The McAfee report also discusses the recent growth in exploits taking advantage of vulnerabilities in helper applications and browser plug-ins such as Adobe Acrobat and Flash. And they highlight the risk of HTML 5.0 “blurring and removing the lines between a web application and a desktop application”. The need for the enterprise to isolate different web usages based on security policies will become increasingly urgent in 2010.

Hot on the heels of Virtual Browser version 1.2, version 1.3 is now ready for release. Why are we introducing two versions at so close together? Well, it’s part of an ambitious product roadmap which leads up to a full rollover to version 2.0 during Q1 2010. Regular intermediate releases help keep us focused, while fulfilling customer and partner expectations in terms of fast time-to-market for new features and functionality.

Virtual Browser release 1.3 delivers support for transparent authentication modes so that, for example, user authentication for Virtual Browser sessions can be based on Windows logon credentials. On the server side, Virtual Browser can now integrate ICA and RDP clients, opening up a whole new range of possibilities for enterprise deployments.

Looking ahead, the objective is to position Virtual Browser as the universal client for the Cloud Computing era. For the enterprise moving to Cloud-based solutions, Virtual Browser offers a single, centralized point of control for multi-platform access to any web-enabled or virtualized application, wherever it’s hosted. By integrating support for ICA and RDP clients on the Virtual Browser server, end users can access web applications and Citrix or TSE applications through a single, secure, multiplatform browser interface.

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

Just a month after the release of version 1.1, version 1.2 of the Virtual Browser server component is ready for deployment.

The latest release offers improved performance, but more importantly for enterprise deployments multi-server support means that high availability and load balancing features are now available. It’s also possible to configure individual web sessions so that they are isolated on separate physical servers, optimizing network topologies and performance and further reinforcing application security.

Eagerly awaited by our most demanding users, these new features guarantee continuity of service for Virtual Browser end-users independently of the failsafe mechanisms offered by the underlying platform (the Virtual Browser server is designed for installation in VMware environment), while also improving scalability, optimizing performance when very large numbers of sessions are open simultaneously.

Version 1.1 of the Virtual Browser solution enhances the product with new features facilitating seamless integration with the enterprise infrastructure:

• Strong authentication based on X.509 certificates increases protection for the enterprise and reduces the risk of security being breached by simple password theft from a compromised terminal.
• Role-based administrator access ensure that each admin only has the authority to execute authorised tasks (eg configuration, monitoring, etc).
• An IE6 rendering engine provides support for older web-based applications, incompatible with more recent browsers.
• Virtual Browser client installations are now available for Apple Macintosh OSX and Linux platforms, in addition to the Microsoft Windows client.

Additional minor modifications have been made to improve performance and ease of use, so that Virtual Browser remains the best solution for secure web access in the enterprise.

The fourth 0-day vulnerability (after this one and these) in only two weeks has just appeared and it is targeting one of the most used plugins: the Flash Player from Adobe which is used to make web sites visually appealing, to watch videos on YouTube, to play online games, …

What do we face:

• A critical vulnerability in the Flash player (at least in version 9 and 10) which can be exploited from all browsers and OS when accessing a compromised website (drive-by attack) or when viewing a malicious PDF using Adobe Acrobat Reader ;
• Both exploitation methods have already been seen in the wild ;
• No mitigation methods except removing the Flash player or some of its components ;
• Javascript desactivation will not protect against all kind of exploitation ;
• Adobe will not release security updates until July 30.

What do you do ?

Most of the browsers are impacted by security issues in early July.

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…

A new 0-day vulnerability in Microsoft’s ActiveX Video Control puts, once again, the focus on browser security. Thousands of web sites (most are compromised) are already used to exploit this vulnerability and take control of the user’s workstations.

Microsoft has already published a security advisory and a technical analysis on its security blog, but no security update. The only workaround is to use the famous Kill-bit to disable this ActiveX control (or to surf using another browser than IE…). Still, Microsoft deserves a red card because the CVE number (CVE-2008-0015) and its creation date prove that they were aware of this vulnerability since 18 months.

At commonIT, our virtualized browser product, Virtual Browser, can protect users, by design against these kinds of attack. Indeed, even when using the Internet Explorer rendering engine, the successful exploitation of this vulnerability will not take ownership of the user’s workstation or company network or other trusted web applications. Any malicious code will be automatically destroyed when the user closes the window. Stress-free Internet?

It’s a mistake to think that the core security issues on the internet are purely technical issues. They are not. Security on the Internet is largely a problem of the trust relationships linking several components:

• The trust a user has in the browser and its capacity to deliver reliable information, while protecting the user;
• The trust between a browser and its trusted certificate authority (CA) list ;
• The trust that the entire IT industry has with respect to the various certificate authorities (CA) and their ability to reliably authenticate certificate owners, to verify their information and to technically protect the underlying mechanism.

If only one element of the trust chain is broken, the entire security model is at risk, as this has been demonstrated recently:

• Eddy Nigg, founder of StartCom, has revealed that certstar, a reseller for the Comodo certificate authority was not verifying the provided information before signing SSL certificates (and certstart was using suspicious renewal scams to get more customers). Eddy easily obtained a certificate for the mozilla.com domain with no relationship with that organization. Comodo reacted immediately once the information had been revealed, revoking the certificate and launching an internal investigation into certstar. Mozilla is seeking stronger assurances from Comodo that they are doing their job professionally, and has threatened to remove Comodo from its trusted CA list if this is not the case.
• A group of researchers presented their work on the creation of a rogue CA certificate, recognized as trusted by the various browsers, and which can be used to generate an on-demand certificate for any secure website at the 25th CCC conference (Chaos Communication Congress). The technique exploits known weaknesses in the MD5 algorithm, still used by some authority certifications. Using a cluster of 200 PS3s, they can relatively rapidly generate a CA certificate with the same MD5 hash value as a RapidSSL certificate signed at their request. With this sort of certificate, they are able to impersonate any secure web site to launch man in the middle attacks. Verisign reacted immediately, banning the use of MD5 by its certification authorities to prevent a possible reproduction.

So it’s clearly difficult for users to be sure they can trust a web site even with all the trust indicators given by his browser. An up-to-date browser and checking of every certificate (using OCSP) remains the best way to surf with low risk. And be sure of what you are doing before accepting an untrusted certificate because basic MITM attacks exist in the wild.

A few months ago, Window Snyder (Chief Security Officer at Mozilla Corporation), in an interview for Computerworld, explained that it is impossible to build a perfectly secure browser. Reading the Browser Security Handbook published a few days ago by Google helps us understand why this is the case. And when the browser is required to support more and more file formats, the number of potential vulnerability sources is more and more important.

“It’s impossible to build a perfectly secure browser” — Window Snyder

And then last week we learnt that Microsoft is being hit by a critical vulnerability in IE (perfectly analyzed by websense) which is heavily exploited to infect Windows hosts. Discovered at the same time as the December Patch Tuesday, the vulnerability is likely to do a lot of damages before Microsoft is able to publish a hotfix, especially as the available workarounds are not easy to apply. To contain the risk, Microsoft should release an out-of-band patch for IE immediately.

Which leads us to the inevitable conclusion that the browser is an incredibly risky environment, constantly under attack; and sooner or later, a zero-day attack, a previously unkown vulnerability, or simply a badly designed plug-in will leave your information systems exposed. The solution is to put the browser in a virtualized environment, preventing web-based malware infecting the user’s PC before spreading across the corporate network.