vulnerabilities

Yes, Microsoft publishes yet another security alert for Internet Explorer. It allows an attacher access to any file on the system, and all versions of Internet Explorer are vulnerable — though the default configuration in the most recent versions of Windows (Vista, Server 2008, or 7) will block attempts to exploit the vulnerability. This leaves Windows XP deployments at risk; that’s 66% of the market according to NetMarketshare.

Bernard Ourghanlian, Director of Security at Microsoft France, has an interesting (for us) take on the issue. Interviewed by journalists for French web media Clubic, he says “We would love to put Internet Explorer 6.0 behind us, but we simply can’t. For an enterprise, deploying a new navigator is a huge job. As long as Microsoft offers support for Windows XP (up to 2014), Internet Explorer 6.0 will also be supported.”

Putting to one side (for the moment) the fact that this new vulnerability is one more proof point for the session isolation we’ve developped with Virtual Browser, Ourghanlian’s words highlight a further problem with the management of desktop navigators as part of the enterprise infrastructure: deployment, updates, patching… all these tasks represent significant management and support overheads for the enterprise. The centralized architecture of Virtual Browser makes updates, whether to the browser or its plugins, trivial, and means that every user sees the updated browser, instantly.

There’s nothing new under the sun, they say; they could have been talking about browser security issues. There’s clearly a need for a revolution in the browser architecture — run-time environment, deployment, and support tools. That’s what we’re working on and where we’re going with Virtual Browser.

On January 15th the German federal information security agency BSI and the French equivalent CERTA both issued bulletins recommending the use of products other than Microsoft Internet Explorer, following a security alert from Microsoft the previous day.

According to French agency CERTA the vulnerability in IE would allow an attacker to remotely execute code on the user’s PC, to steal data or compromise the system. Some of the world’s largest corporations, including Google, appear to have been victims of attacks.

This is the first time that official national IT security agencies have explicitly warned against the use of a specific product due to vulnerabilities. In this case, though, the vulnerabilities are present in every release of the product back to version 6.0. Some two-thirds of internet users browse with IE, meaning the potential for damage is huge. Many enterprises and government agencies deliver IE 6.0 or 7.0 as part of the standard end-user desktop environment; the risk of a crippling attack on industry and/or government networks called for action.

This time Internet Explorer has been identified as vulnerable. But the reality is that it’s the underlying architecture of industry-standard web browsers that’s at fault. That’s why we’ve taken an entirely new approach with Virtual Browser. The only truly effective way to protect sensitive corporate or government networks is to isolate the browser using virtual machines in a secure, centralized hosting environment. With the session isolation feature of Virtual Browser any attack is contained within the session; should the session be compromised, it’s just a virtual machine and the attack is eliminated when the virtual machine is shut down at the end of the session. Whether it’s Internet Explorer or on of the alternatives running in the Virtual Browser session, users can continue to browse safe in the knowledge that their data – and their employer’s – is fully protected against the exploitation of any browser vulnerability.

Malware researchers at McAfee Labs, the research division of McAfee, have just published their annual report “2010 Threat Predictions”. The browser, unsurprisingly, continues to be the principal vector for attacks, according to the report; the news is that social networking sites are fast becoming the main source of threats. One simple example: the popularity of URI shorthands (bit.ly, tinurl.com) to save characters in Twitter makes it easy to get even the most aware user to click on a “poisoned” link which may download malware or launch a cross-site attack.

The McAfee report also discusses the recent growth in exploits taking advantage of vulnerabilities in helper applications and browser plug-ins such as Adobe Acrobat and Flash. And they highlight the risk of HTML 5.0 “blurring and removing the lines between a web application and a desktop application”. The need for the enterprise to isolate different web usages based on security policies will become increasingly urgent in 2010.

Details of a new vulnerability in IE6 and IE7 were published on the internet at the beginning of last week, before Microsoft was aware of the problem. Microsoft has issued a security advisory but has yet to announce an update to correct the problem. Like previous vulnerabilities (see here and here), recommended workarounds and protection measures place heavy (unrealistic?) demands on users, and the risks remain high — an attacker can inherit the user’s access rights on the attacked machine. IE6 and IE7 are still the most widely used browsers on enterprise networks.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

November 2008 has seen a slew of vulnerabilities impacting every main browser on the market. Among them, Safari and Firefox are the most impacted:

• Safari 3.2 includes corrections for 11 vulnerabilities which can lead to code execution, denial of service or information disclosure. An anti-phishing filter and support for EV certificates have also been added in response to criticisms from PayPal.
• Firefox 3.0.4 fixes 9 vulnerabilities with 4 rated as critical. Impacts of these vulnerabilities include denial of service, code execution, privilege escalation and information theft. For users of Firefox 2, these fixes are included in the 2.0.0.18 version.

While other browsers were impacted by fewer vulnerablities, updates were issued for:

• Internet Explorer: Microsoft has published a critical security advisory (MS08-069) concerning Microsoft XML Core Services which includes fixes for remote code execution and information disclosure vulnerabilities. This security update also includes protection to forbid access to HttpOnly cookies by XMLHTTPRequest objects, to prevent or mitigate exploitation of an XSS vulnerability.
• Google Chrome has fixed a vulnerability which can be used to send local files to an external server. This fix is currently only available in the developer version.
• Opera release 9.62 fixes a remote code execution vulnerability.

If you feel unsafe using the browser on your computer and want more details on browser virtualization and web session partitioning: www.commonit.com.