Articles by Mathieu Lafon

A new 0-day vulnerability in Microsoft’s ActiveX Video Control puts, once again, the focus on browser security. Thousands of web sites (most are compromised) are already used to exploit this vulnerability and take control of the user’s workstations.

Microsoft has already published a security advisory and a technical analysis on its security blog, but no security update. The only workaround is to use the famous Kill-bit to disable this ActiveX control (or to surf using another browser than IE…). Still, Microsoft deserves a red card because the CVE number (CVE-2008-0015) and its creation date prove that they were aware of this vulnerability since 18 months.

At commonIT, our virtualized browser product, Virtual Browser, can protect users, by design against these kinds of attack. Indeed, even when using the Internet Explorer rendering engine, the successful exploitation of this vulnerability will not take ownership of the user’s workstation or company network or other trusted web applications. Any malicious code will be automatically destroyed when the user closes the window. Stress-free Internet?

It’s a mistake to think that the core security issues on the internet are purely technical issues. They are not. Security on the Internet is largely a problem of the trust relationships linking several components:

• The trust a user has in the browser and its capacity to deliver reliable information, while protecting the user;
• The trust between a browser and its trusted certificate authority (CA) list ;
• The trust that the entire IT industry has with respect to the various certificate authorities (CA) and their ability to reliably authenticate certificate owners, to verify their information and to technically protect the underlying mechanism.

If only one element of the trust chain is broken, the entire security model is at risk, as this has been demonstrated recently:

• Eddy Nigg, founder of StartCom, has revealed that certstar, a reseller for the Comodo certificate authority was not verifying the provided information before signing SSL certificates (and certstart was using suspicious renewal scams to get more customers). Eddy easily obtained a certificate for the mozilla.com domain with no relationship with that organization. Comodo reacted immediately once the information had been revealed, revoking the certificate and launching an internal investigation into certstar. Mozilla is seeking stronger assurances from Comodo that they are doing their job professionally, and has threatened to remove Comodo from its trusted CA list if this is not the case.
• A group of researchers presented their work on the creation of a rogue CA certificate, recognized as trusted by the various browsers, and which can be used to generate an on-demand certificate for any secure website at the 25th CCC conference (Chaos Communication Congress). The technique exploits known weaknesses in the MD5 algorithm, still used by some authority certifications. Using a cluster of 200 PS3s, they can relatively rapidly generate a CA certificate with the same MD5 hash value as a RapidSSL certificate signed at their request. With this sort of certificate, they are able to impersonate any secure web site to launch man in the middle attacks. Verisign reacted immediately, banning the use of MD5 by its certification authorities to prevent a possible reproduction.

So it’s clearly difficult for users to be sure they can trust a web site even with all the trust indicators given by his browser. An up-to-date browser and checking of every certificate (using OCSP) remains the best way to surf with low risk. And be sure of what you are doing before accepting an untrusted certificate because basic MITM attacks exist in the wild.

A few months ago, Window Snyder (Chief Security Officer at Mozilla Corporation), in an interview for Computerworld, explained that it is impossible to build a perfectly secure browser. Reading the Browser Security Handbook published a few days ago by Google helps us understand why this is the case. And when the browser is required to support more and more file formats, the number of potential vulnerability sources is more and more important.

“It’s impossible to build a perfectly secure browser” — Window Snyder

And then last week we learnt that Microsoft is being hit by a critical vulnerability in IE (perfectly analyzed by websense) which is heavily exploited to infect Windows hosts. Discovered at the same time as the December Patch Tuesday, the vulnerability is likely to do a lot of damages before Microsoft is able to publish a hotfix, especially as the available workarounds are not easy to apply. To contain the risk, Microsoft should release an out-of-band patch for IE immediately.

Which leads us to the inevitable conclusion that the browser is an incredibly risky environment, constantly under attack; and sooner or later, a zero-day attack, a previously unkown vulnerability, or simply a badly designed plug-in will leave your information systems exposed. The solution is to put the browser in a virtualized environment, preventing web-based malware infecting the user’s PC before spreading across the corporate network.

It’s my turn to tell you about Daniel, with whom I have worked for many years.

Daniel Fages:

Daniel, a graduate of the INSA engineering school in Lyon like myself and David, has worked in the information security field throughout his career. Technically speaking, we are complementary: Daniel is an inventor, designing and experimenting with innovative technical solutions while I transform his proof-of-concept into an industrial-level product. He is a visionary who knows how technologies will evolve and what should be done now.

Daniel started his career in 1997 at IBM as a consultant in the security and Internet fields, then in 1999 began working on an innovative application layer firewall with security and performance in mind. This led to him founding Arkoon Network Security and patenting the breakthrough FAST (Fast Applicative Shield Technology) technology which is still the core filtering engine of Arkoon’s FAST360 UTM appliances.

As a founder and CTO of Arkoon, he built up the R&D department and was a valued member of the executive committee. Daniel is one of the key people who has made a significant contribution to the success of Arkoon and its status as French leader in IT security solutions.

November 2008 has seen a slew of vulnerabilities impacting every main browser on the market. Among them, Safari and Firefox are the most impacted:

• Safari 3.2 includes corrections for 11 vulnerabilities which can lead to code execution, denial of service or information disclosure. An anti-phishing filter and support for EV certificates have also been added in response to criticisms from PayPal.
• Firefox 3.0.4 fixes 9 vulnerabilities with 4 rated as critical. Impacts of these vulnerabilities include denial of service, code execution, privilege escalation and information theft. For users of Firefox 2, these fixes are included in the 2.0.0.18 version.

While other browsers were impacted by fewer vulnerablities, updates were issued for:

• Internet Explorer: Microsoft has published a critical security advisory (MS08-069) concerning Microsoft XML Core Services which includes fixes for remote code execution and information disclosure vulnerabilities. This security update also includes protection to forbid access to HttpOnly cookies by XMLHTTPRequest objects, to prevent or mitigate exploitation of an XSS vulnerability.
• Google Chrome has fixed a vulnerability which can be used to send local files to an external server. This fix is currently only available in the developer version.
• Opera release 9.62 fixes a remote code execution vulnerability.

If you feel unsafe using the browser on your computer and want more details on browser virtualization and web session partitioning: www.commonit.com.

When you are connected to Internet, your browser will automatically, or on your request, download web pages, photos or videos. This is what has made the Web successful and that Web 2.0 sites use extensively to provide the best possible user experience.

But one can legitimately wonder if the browser is not too credulous in following all that links. If a Chinese website contains links to your Intranet images or includes a part of your bank website, your web browser will not be bothered. And you ?

In the cat-and-mouse game opposing hackers and security researchers to developers, the advantage is more than ever with the cats. As the Web is more and more used, especially for business, important security vulnerabilities are still present :

• XSS (Cross-Site Scripting) : A vulnerability in a website which can be used to execute remote code by bypassing the ‘same origin policy‘ protection. This can be used to steal the user’s session cookies.
• CSRF (Cross-Site Request Forgery) : A lack of control in a website which can be used to execute actions (send email, password modification, …) on authenticated websites without any action of the user. A few weeks ago, a study revealed that some major websites still have CSRF vulnerabilities. Among them, the website of INGDirect could be used to transfer money…
• Clickjacking : (Recent) technique where an authenticated website is loaded in the background of a page and the user is fooled to click in the authenticated website. This can be used to fool the user to do some actions. A demo can be seen here.
• Intranet scanning : Usage of Javascript (or not) for scanning servers located on the private network. This can be used to identify software and services and interact with them.
• DNS rebinding : Exploitation of the DNS protocol which can be used to circumvent the ‘same origin policy‘ protection and execute remote code on an authenticated website.

It is often recommended to connect to a website with sensitive information only from a browser with no other open windows or tabs. But who really restarts their browser before connecting to the bank’s website ? Who never browses with a tab open on the corporate Intranet or webmail ?

Aware of these problems, I have spent a long time thinking about how to easily partition browsing sessions using trust levels. It is normal that my Intranet contains links to Internet, but it is not normal that an external website contains a link to my Intranet. In a previous life, I successfully implemented this kind of filtering at the perimeter level (firewall) but HTTPS and Javascript are easy ways to circumvent that. The only way to filter effectively is to do it directly in the browser.

With the creation of commonIT, I have tried to introduce the concept of session-partitioning in the core of the Virtual Browser product. With the virtualization of the browser, session-partitioning and mobility, Virtual Browser is an effective and inovative solution for secure browsing.