Starting this month, a host of popular Web sites will warn users who are surfing the Web on outdated browsers. The effort, spearheaded by the Online Trust Alliance, aims to move the low-hanging fruit of easy-to-attack legacy browsers a little bit higher.
To protect against attacks, companies need to deploy a wide range of defensive strategies, and an efficient patching cycle is a good first step. Many companies fail to use up-to-date browsers for fear of breaking compatibility with a critical enterprise application. Currently, Internet Explorer 6 — an easy target for attackers — is still used by nearly 10 percent of Web visitors.
“Clearly, businesses need to move off of IE 6 and IE7,” says Craig Spiezle, president and executive director of the Online Trust Alliance. “And they need to move off as quickly as possible because the browser is the first line of defense.”
The OTA initiative, dubbed “Why Your Browser Matters,” aims to increase the visibility of out-of-date browsers in an attempt to get more people and organizations to upgrade to the latest, and ostensibly the most secure, versions. Dealing with the patching issue will not be easy, says Rik Ferguson, director of security research for Trend Micro. Many companies do not have a good patching process in place and are concerned that updating will break tenuous IT connections.
While the OTA initiative is a good first step, experts warn that managing vulnerable browsers only starts with a patch. Attackers are more often exploiting flawed plug-ins, not just the browser software. Adobe Reader and Flash, Oracle’s Java, and other browser enhancements have become prime targets for malicious code, Ferguson says. “Many attacks come through the browser — but it is not just because the browser it is out of date. It is because the plug-ins are out of date,” he says.
An attack on Pacific Northwest National Laboratories is a case in point. An attacker compromised PNNL’s public-facing Web site, installing a zero-day exploit for Adobe Flash and compromising not only visitors, but also employees visiting the site. Having an up-to-date browser would not have helped, says Jerry Johnson, chief information officer for PNNL. “By and large, we are running up-to-date browsers,” Johnson says. “Our basic philosophy is that you are going to get hacked, so it is important that you can detect and contain.”
The lesson that Johnson took from the attack is that the browser has to be separated from other parts of the operating system and sandboxed. Unfortunately, while browser makers are moving toward sandboxing the software, the plug-ins are not usually contained, he says.
Overall, browsers dramatically increase the attack surface area of a company’s information systems, says Anup Ghosh, chief scientist with software security firm Invincea. “It is not just the browser, but the browser and all the plug-ins and extensions that a company puts on the systems, along with all the operating systems libraries that the browser calls — that becomes your total attack surface area,” Ghosh says. “It is impossible to write a secure browser.”
Isolating the browser from the rest of the operating system can mitigate risk, Ghosh states. VMWare’s free Player is an example of a product that cordons off the Internet from the rest of the operating system by isolating the browser in a virtual machine. Invincea’s own product, Browser Protection, uses a similar technique to start a browser from a clean state each time the user runs the software, preventing malicious code from breaking out. In addition, the software instruments the virtualized instance to detect possible attacks.
However a company decides to add defenses, moving beyond patching is important, says Ghosh.
“By the time you get the patch, the adversaries have typically had one month to exploit it,” he says. “Patching is good hygiene, but it is not security.”