With the spate of web browser vulnerability announcements this year, many of them true zero-day vulnerabilities, the topic of browser security is as hot as it's been in the past five years. And perhaps the hottest issues surrounding Patch Tuesday this month don't involve the 10 security bulletins Microsoft published as scheduled, but the fix that was released two weeks prior to patch Tuesday - out of schedule.
We're talking about Microsoft's Security Bulletin MS06-055 that hit on Tuesday, Sept. 26. Microsoft understood the urgency, so it issued the patch "out-of-cycle" to fix a security flaw that affected Internet Explorer (IE). The flaw was being actively exploited by attackers, creating a security gap that could let attackers gain full control of end-user systems by simply visiting a maliciously crafted website.
This most recent IE flaw is only one of several high-profile zero-day vulnerabilities that affect this browser. But overall, browser vulnerabilities are increasingly being discovered - including zero-days - and they're affecting nearly every browser on the market. Even Firefox, long thought of as more secure, has had more than a dozen vulnerabilities announced this year.
All of this is yet another sign that hackers are doing everything they can to exploit client-side applications—and they're turning to more sophisticated tools, such as Fuzzers, to get the job done. Fuzzers are security tools that can be powerful aids within a software developer's toolbox to find security flaws. Unlike people, Fuzzers hold no preconceived notions about how a program will—or should—operate, including what is likely to be inserted into an input field. They employ fuzzy logic that generates a swath of random information to ferret out input errors and other types of programming blunders that often lead to vulnerabilities.
Attackers are upping their web browser vulnerability discovery tactics, and their toolsets, largely as a result of the increasing profits associated with illegal hacking: whether it's to get paid for displaying pop-up advertisements and the installation of spyware that snoop on users' web browsing habits, or the clandestine insertion of trojans designed to pilfer passwords and account information that can lead to the theft of financial account information, and, ultimately, identity theft.
The increased sophistication and profit motive associated with hacking web browsers, coupled with the browser becoming an ever-more important part of ecommerce and the delivery of powerful, on-demand web applications, means that the browser will continue to be a flash point in the race between attackers and security professionals struggling to keep corporate systems secure.
One of the greatest challenges to keep internet surfing safe is the fact that there is no single, easy solution for security professionals to employ. Browser vulnerabilities and maliciously crafted websites can't be solved by firewall policies: traffic over port 80 must flow. While desktop firewalls and anti-virus software can be of some help, these signatures often come days after exploits have been unleashed and attacks are underway. Content filtering at the internet gateway also can provide an additional layer of defense, but as admirable as are the efforts of these security vendors to keeping their filters updated with the latest malicious URLs, it's still a reactionary technology. And then there are patches: keeping these updated also is crucial, but this tactic is of no use in the days, and too often weeks, during which zero-day browser exploits circulate the internet.
The failure of security technology alone to adequately solve this problem means end-user security awareness is more important than ever. Employees need to be incessantly reminded not to visit websites they don't trust or open e-mails that look to be fraudulent and are from people they don't know. They need to know that dangerous, maliciously-crafted websites and HTML e-mail can mean more than nefarious pop-up advertisements being displayed on their system, or system performance slowed due to spyware infestations. They need to know that the security and confidentiality of not only the information stored on their system, and their personal account and identity information, is at stake — but so is all of the organization's intellectual property and customer information that resides within, and transverses throughout the enterprise network.
Until application development and security technologies reach a point where web browsing is relatively safe, employee security awareness will remain the last, and most crucial, line of defense against zero-day web browser vulnerabilities.
Amol Sarwate is director of Qualys' vulnerability research lab.