security

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

Version 1.1 of the Virtual Browser solution enhances the product with new features facilitating seamless integration with the enterprise infrastructure:

• Strong authentication based on X.509 certificates increases protection for the enterprise and reduces the risk of security being breached by simple password theft from a compromised terminal.
• Role-based administrator access ensure that each admin only has the authority to execute authorised tasks (eg configuration, monitoring, etc).
• An IE6 rendering engine provides support for older web-based applications, incompatible with more recent browsers.
• Virtual Browser client installations are now available for Apple Macintosh OSX and Linux platforms, in addition to the Microsoft Windows client.

Additional minor modifications have been made to improve performance and ease of use, so that Virtual Browser remains the best solution for secure web access in the enterprise.

The SANS Institute, internationally recognized for its leadership in information security training and certification, has just published a threat report under the title “The Top Cyber Security Risks“. It comes as no surprise to us at commonIT that the report clearly identifies web usage as the key vector for attacks, whether at the client side or on the server.

The report leads by identifying two priorities that need addressing: unpatched client-side software, and vulnerabilities in Internet-facing web sites. Based on data collected between March and August of this year, the authors show that application vulnerabilities now far exceed those being discovered in the operating system, commenting that “browsers and client-side applications that can be invoked by browsers seem to be consistently targeted”.

A well-developed tutorial included in the report describes one specific way in which the enterprise can expose itself to web-based penetration. But the report is full of interesting data, and merits the time to read it for any information security professional.

And so to Virtual Browser. If we find the report particularly interesting and relevant, it’s not just for the quality of the data. It’s also because our Virtual Browser technology successfully addresses and mitigates the situations described, something no other technology on the market today is capable of. By putting the browser in a datacenter-hosted virtual machine and isolating browsing sessions from each other, the enterprise is fully protected whether the client side or server side is compromised. Virtual Browser — the enterprise browser solution, Secure by Design.

Does what, exactly? Why, winning the Monaco Grand Prix, of course! When commonIT heads for Monaco next month we won’t be trying to emulate Formula 1 drivers (though some of the team regret this) — but we’re going there to win.

From October 7th to 10th around a thousand of the most senior CSOs representing practically every major enterprise, ministry and government and local authority agency in France will be in Monaco for the ninth annual “Assises de la sécurité” get-together. As one of the sponsors of the event commonIT will man a stand for the three days of conferences and workshops, and deliver a 40 minute workshop on virtualisation and browser security. Through a partnership with the French edition of Global Security Mag all delegates will also receive a copy of a new white paper on enterprise web security developped by commonIT — the English version will be available shortly, watch this blog!

The three days of close interaction with high-level contacts from every sector of the French economy are a once-a-year opportunity to reach key decision makers, to spread the Virtual Browser message, to listen to their needs, and to detect new business opportunities. That’s why we’re sending a team of three people; commonIT will represented by Daniel, Albino and myself. Just like Jenson Button, we’re going there to win. But we’ll be driving a little more slowly.

The summer holiday period offered little rest for the information security specialist, with a series of browser and plugin vulnerabilities coming to light. Mathieu covered them here, here and here.

Then last week news broke that as many as 57,000 websites (a later report increases the estimate to 70,000) are contaminated with a malicious javascript. And we’re not talking about obscure pages on dubious, rarely visited websites in the outer reaches of the internet; a major New York hospital, medical charities, educational institutes, and a legal partnership all figure in the list of infected sites.

Back in the days when the floppy disk (for those who remember them) was the main method by which viruses were transmitted from one PC to the next, it was common for enterprise administrators to remove or disable the drives. Given today’s security risks, questions must be asked about the future of the internet in the enterprise. Should internet access simply be banned for end users? That’s clearly not the way forward. The web is a powerful communications tool, boosting productivity and competitivity. Added to which today’s users are not just internet-aware, they’re practically dependent on the web and will revolt against any restrictions on access.

So how can the enterprise deliver end-user internet access without leaving its own networks and systems susceptible to attack? With Virtual Browser “internet access” no longer means “connected to the internet.” The end-user’s PC doesn’t bounce from website to potentially risky website following the user’s mouse clicks. The user connects to a browser instance running as a virtual machine hosted in the secure environment of the datacenter. It is this hosted browser which connects to the internet. It’s as if, back in the days of the floppy, we could read and write to the disk without inserting into the drive — so that there was no risk of viruses infecting our PC.

The fourth 0-day vulnerability (after this one and these) in only two weeks has just appeared and it is targeting one of the most used plugins: the Flash Player from Adobe which is used to make web sites visually appealing, to watch videos on YouTube, to play online games, …

What do we face:

• A critical vulnerability in the Flash player (at least in version 9 and 10) which can be exploited from all browsers and OS when accessing a compromised website (drive-by attack) or when viewing a malicious PDF using Adobe Acrobat Reader ;
• Both exploitation methods have already been seen in the wild ;
• No mitigation methods except removing the Flash player or some of its components ;
• Javascript desactivation will not protect against all kind of exploitation ;
• Adobe will not release security updates until July 30.

What do you do ?

Most of the browsers are impacted by security issues in early July.

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…

A new 0-day vulnerability in Microsoft’s ActiveX Video Control puts, once again, the focus on browser security. Thousands of web sites (most are compromised) are already used to exploit this vulnerability and take control of the user’s workstations.

Microsoft has already published a security advisory and a technical analysis on its security blog, but no security update. The only workaround is to use the famous Kill-bit to disable this ActiveX control (or to surf using another browser than IE…). Still, Microsoft deserves a red card because the CVE number (CVE-2008-0015) and its creation date prove that they were aware of this vulnerability since 18 months.

At commonIT, our virtualized browser product, Virtual Browser, can protect users, by design against these kinds of attack. Indeed, even when using the Internet Explorer rendering engine, the successful exploitation of this vulnerability will not take ownership of the user’s workstation or company network or other trusted web applications. Any malicious code will be automatically destroyed when the user closes the window. Stress-free Internet?

It’s a mistake to think that the core security issues on the internet are purely technical issues. They are not. Security on the Internet is largely a problem of the trust relationships linking several components:

• The trust a user has in the browser and its capacity to deliver reliable information, while protecting the user;
• The trust between a browser and its trusted certificate authority (CA) list ;
• The trust that the entire IT industry has with respect to the various certificate authorities (CA) and their ability to reliably authenticate certificate owners, to verify their information and to technically protect the underlying mechanism.

If only one element of the trust chain is broken, the entire security model is at risk, as this has been demonstrated recently:

• Eddy Nigg, founder of StartCom, has revealed that certstar, a reseller for the Comodo certificate authority was not verifying the provided information before signing SSL certificates (and certstart was using suspicious renewal scams to get more customers). Eddy easily obtained a certificate for the mozilla.com domain with no relationship with that organization. Comodo reacted immediately once the information had been revealed, revoking the certificate and launching an internal investigation into certstar. Mozilla is seeking stronger assurances from Comodo that they are doing their job professionally, and has threatened to remove Comodo from its trusted CA list if this is not the case.
• A group of researchers presented their work on the creation of a rogue CA certificate, recognized as trusted by the various browsers, and which can be used to generate an on-demand certificate for any secure website at the 25th CCC conference (Chaos Communication Congress). The technique exploits known weaknesses in the MD5 algorithm, still used by some authority certifications. Using a cluster of 200 PS3s, they can relatively rapidly generate a CA certificate with the same MD5 hash value as a RapidSSL certificate signed at their request. With this sort of certificate, they are able to impersonate any secure web site to launch man in the middle attacks. Verisign reacted immediately, banning the use of MD5 by its certification authorities to prevent a possible reproduction.

So it’s clearly difficult for users to be sure they can trust a web site even with all the trust indicators given by his browser. An up-to-date browser and checking of every certificate (using OCSP) remains the best way to surf with low risk. And be sure of what you are doing before accepting an untrusted certificate because basic MITM attacks exist in the wild.

A few months ago, Window Snyder (Chief Security Officer at Mozilla Corporation), in an interview for Computerworld, explained that it is impossible to build a perfectly secure browser. Reading the Browser Security Handbook published a few days ago by Google helps us understand why this is the case. And when the browser is required to support more and more file formats, the number of potential vulnerability sources is more and more important.

“It’s impossible to build a perfectly secure browser” — Window Snyder

And then last week we learnt that Microsoft is being hit by a critical vulnerability in IE (perfectly analyzed by websense) which is heavily exploited to infect Windows hosts. Discovered at the same time as the December Patch Tuesday, the vulnerability is likely to do a lot of damages before Microsoft is able to publish a hotfix, especially as the available workarounds are not easy to apply. To contain the risk, Microsoft should release an out-of-band patch for IE immediately.

Which leads us to the inevitable conclusion that the browser is an incredibly risky environment, constantly under attack; and sooner or later, a zero-day attack, a previously unkown vulnerability, or simply a badly designed plug-in will leave your information systems exposed. The solution is to put the browser in a virtualized environment, preventing web-based malware infecting the user’s PC before spreading across the corporate network.