browser

Most of the browsers are impacted by security issues in early July.

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…

A few months ago, Window Snyder (Chief Security Officer at Mozilla Corporation), in an interview for Computerworld, explained that it is impossible to build a perfectly secure browser. Reading the Browser Security Handbook published a few days ago by Google helps us understand why this is the case. And when the browser is required to support more and more file formats, the number of potential vulnerability sources is more and more important.

“It’s impossible to build a perfectly secure browser” — Window Snyder

And then last week we learnt that Microsoft is being hit by a critical vulnerability in IE (perfectly analyzed by websense) which is heavily exploited to infect Windows hosts. Discovered at the same time as the December Patch Tuesday, the vulnerability is likely to do a lot of damages before Microsoft is able to publish a hotfix, especially as the available workarounds are not easy to apply. To contain the risk, Microsoft should release an out-of-band patch for IE immediately.

Which leads us to the inevitable conclusion that the browser is an incredibly risky environment, constantly under attack; and sooner or later, a zero-day attack, a previously unkown vulnerability, or simply a badly designed plug-in will leave your information systems exposed. The solution is to put the browser in a virtualized environment, preventing web-based malware infecting the user’s PC before spreading across the corporate network.

November 2008 has seen a slew of vulnerabilities impacting every main browser on the market. Among them, Safari and Firefox are the most impacted:

• Safari 3.2 includes corrections for 11 vulnerabilities which can lead to code execution, denial of service or information disclosure. An anti-phishing filter and support for EV certificates have also been added in response to criticisms from PayPal.
• Firefox 3.0.4 fixes 9 vulnerabilities with 4 rated as critical. Impacts of these vulnerabilities include denial of service, code execution, privilege escalation and information theft. For users of Firefox 2, these fixes are included in the 2.0.0.18 version.

While other browsers were impacted by fewer vulnerablities, updates were issued for:

• Internet Explorer: Microsoft has published a critical security advisory (MS08-069) concerning Microsoft XML Core Services which includes fixes for remote code execution and information disclosure vulnerabilities. This security update also includes protection to forbid access to HttpOnly cookies by XMLHTTPRequest objects, to prevent or mitigate exploitation of an XSS vulnerability.
• Google Chrome has fixed a vulnerability which can be used to send local files to an external server. This fix is currently only available in the developer version.
• Opera release 9.62 fixes a remote code execution vulnerability.

If you feel unsafe using the browser on your computer and want more details on browser virtualization and web session partitioning: www.commonit.com.