IE

Google started it. When Google launched the Chrome browser some three years ago, one of the key security features was automatic updating. New code releases are downloaded in the background while the browser is running, and applied the next time the user re-starts the browser.

Google argues that this boosts security, compared with the splash screens and user dialogs of other browsers. Faced with the choice of (1) waiting for update code to download, waiting for the update to install, and waiting for the browser to restart, or (2) clicking “Cancel” and continuing to the page they wanted to reach when they launched the browser, many (too many) users choose option 2. The result? Out-of-date browser versions with unpatched security vulnerabilities.

Microsoft has now announced the introduction of silent updating for Internet Explorer, and Mozilla expects to bring out silent updates for Firefox in an as-yet unspecified future release.

Not everybody’s happy. Enterprise IT operations, particularly end-user support teams, will be in the front line when users find themselves unable to access a business-critical application which turns out not to be compatible with the latest version of the user’s favorite browser.

As long as users were primarily sat in front of corporate-issue MS Windows desktops, updates were under the control of the IT department. New browser releases could be tested against business applications for compatibility before being deployed to the desktop. In the age of BYOD, however, support and maintenance of the end-point environment is in the hands of the user; you can’t impose a locked-down corporate configuration on a device owned by the employee.

AirShip, the enterprise browser, has been designed to give control back to the IT department. The AirShip browser can be installed on a range of end-point technologies. It supports concurrent execution of multiple browser configurations, centrally managed and deployed to end user devices. With AirShip, the user connects to enterprise applications using the optimum browser release and configuration as defined by the system administrator. And AirShip can happily coexist with industry-standard browsers, so end-users can enjoy the latest release of their favorite browser for personal use while AirShip delivers a managed environment for professional use.

Yes, Microsoft publishes yet another security alert for Internet Explorer. It allows an attacher access to any file on the system, and all versions of Internet Explorer are vulnerable — though the default configuration in the most recent versions of Windows (Vista, Server 2008, or 7) will block attempts to exploit the vulnerability. This leaves Windows XP deployments at risk; that’s 66% of the market according to NetMarketshare.

Bernard Ourghanlian, Director of Security at Microsoft France, has an interesting (for us) take on the issue. Interviewed by journalists for French web media Clubic, he says “We would love to put Internet Explorer 6.0 behind us, but we simply can’t. For an enterprise, deploying a new navigator is a huge job. As long as Microsoft offers support for Windows XP (up to 2014), Internet Explorer 6.0 will also be supported.”

Putting to one side (for the moment) the fact that this new vulnerability is one more proof point for the session isolation we’ve developped with Virtual Browser, Ourghanlian’s words highlight a further problem with the management of desktop navigators as part of the enterprise infrastructure: deployment, updates, patching… all these tasks represent significant management and support overheads for the enterprise. The centralized architecture of Virtual Browser makes updates, whether to the browser or its plugins, trivial, and means that every user sees the updated browser, instantly.

There’s nothing new under the sun, they say; they could have been talking about browser security issues. There’s clearly a need for a revolution in the browser architecture — run-time environment, deployment, and support tools. That’s what we’re working on and where we’re going with Virtual Browser.

On January 15th the German federal information security agency BSI and the French equivalent CERTA both issued bulletins recommending the use of products other than Microsoft Internet Explorer, following a security alert from Microsoft the previous day.

According to French agency CERTA the vulnerability in IE would allow an attacker to remotely execute code on the user’s PC, to steal data or compromise the system. Some of the world’s largest corporations, including Google, appear to have been victims of attacks.

This is the first time that official national IT security agencies have explicitly warned against the use of a specific product due to vulnerabilities. In this case, though, the vulnerabilities are present in every release of the product back to version 6.0. Some two-thirds of internet users browse with IE, meaning the potential for damage is huge. Many enterprises and government agencies deliver IE 6.0 or 7.0 as part of the standard end-user desktop environment; the risk of a crippling attack on industry and/or government networks called for action.

This time Internet Explorer has been identified as vulnerable. But the reality is that it’s the underlying architecture of industry-standard web browsers that’s at fault. That’s why we’ve taken an entirely new approach with Virtual Browser. The only truly effective way to protect sensitive corporate or government networks is to isolate the browser using virtual machines in a secure, centralized hosting environment. With the session isolation feature of Virtual Browser any attack is contained within the session; should the session be compromised, it’s just a virtual machine and the attack is eliminated when the virtual machine is shut down at the end of the session. Whether it’s Internet Explorer or on of the alternatives running in the Virtual Browser session, users can continue to browse safe in the knowledge that their data – and their employer’s – is fully protected against the exploitation of any browser vulnerability.

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

Most of the browsers are impacted by security issues in early July.

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…

A few months ago, Window Snyder (Chief Security Officer at Mozilla Corporation), in an interview for Computerworld, explained that it is impossible to build a perfectly secure browser. Reading the Browser Security Handbook published a few days ago by Google helps us understand why this is the case. And when the browser is required to support more and more file formats, the number of potential vulnerability sources is more and more important.

“It’s impossible to build a perfectly secure browser” — Window Snyder

And then last week we learnt that Microsoft is being hit by a critical vulnerability in IE (perfectly analyzed by websense) which is heavily exploited to infect Windows hosts. Discovered at the same time as the December Patch Tuesday, the vulnerability is likely to do a lot of damages before Microsoft is able to publish a hotfix, especially as the available workarounds are not easy to apply. To contain the risk, Microsoft should release an out-of-band patch for IE immediately.

Which leads us to the inevitable conclusion that the browser is an incredibly risky environment, constantly under attack; and sooner or later, a zero-day attack, a previously unkown vulnerability, or simply a badly designed plug-in will leave your information systems exposed. The solution is to put the browser in a virtualized environment, preventing web-based malware infecting the user’s PC before spreading across the corporate network.