Friday, May 24, 2013

Do you use Google Chrome as your browser? Beware!


Vulnerabilities have always been among the hot topics of discussions in the security domain. With the increasing usage of browsers now a days, they are slowly becoming a major form of vulnerability. Browsers are highly sensitive components of computing, as they act as a door through which users interact with the Internet. They are used to reach and interpret Web content developed by all kinds of people including professionals and amateurs, offering everything from benign to malicious content.
For most people, their web browser is central to their interaction with the Internet. It not only helps them to connect to global web sites but also allows them to consume online services providing everything from booking flights, banking services to online shopping. This reality makes browsers a key tool when evaluating the security experience of users, as the browser interprets Web content and programs delivered from around the world. Considering the vulnerabilities seen in the past, we can categorize them into 4 categories, namely:

  • Critical: Vulnerabilities that are used to run attacker code and install software, requiring no user interaction beyond normal browsing, can be categorized as critical.
  • High: Vulnerability that can be used to interact and gather sensitive data from other sites the user is visiting or inject data or code into those sites, requiring no more than normal browsing actions, can be categorized as highly vulnerable.
  • Moderate: Vulnerabilities that would otherwise be under the banner of ‘High’ or ‘Critical’, but only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps, fall under the moderate category.
  • Low: Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs fall under the low range of browser vulnerabilities. (Undetectable spoofs of SSL indicia would have “High” impact because those are generally used to steal sensitive data intended for other sites.)

Why focus on Browser Vulnerability

In recent years the Web browser has increasingly being targeted by attackers primarily to utilize them as an infection vector for vulnerable hosts. Traditionally in service-centric vulnerability exploitation, attackers primarily scan and then remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site. Attacks against Web browsers depend upon the kind of malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.). Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker.
Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers. Profit motivated cyber-criminals have rapidly adopted Web browser exploitation as a key channel for malware installation. Due to the methodology of exploiting Web browser vulnerabilities and the unpredictable browsing patterns of typical users, criminals need to use a mix of popular and high-traffic websites, or incentivize users through email spam, with URLs directing potential victims to Web servers hosting their malicious content, for widespread infection of vulnerable hosts. The former method is commonly known as ‘drive-by download’, where drive-by refers to the fact that Web browsers must initially navigate to a malicious page and download refers to the covertly downloaded and executed malware – typically trojans.
As popularity of this attack vector has blossomed, there have been frequent reports of hundreds of thousands of Web sites succumbing to mass-defacement, where the defacement often consists of an embedded iframe. These iframes typically include content from servers hosting malicious JavaScript code designed to exploit vulnerabilities accessible through the user’s Web browser and subsequently to initiate a drive-by malware download. These mass-defacements cause once-benign sites to turn against their visitors. Even pages owned by institutions like the United Nations (un.org), the UK government (.gov.uk) and many other popular websites have succumbed to such attacks.

The Browser as an Attack Vector

To understand more about client side, browser based attack and defenses, it is helpful to first analyze the reasons for the increase in popularity of targeting the browser as an attack vector. Through this analysis one can more acutely understand the causes driving the increase in attacks against the client side browser vector.
Here is an image stating the number of users who are using browser in the time span of last 15 Year.

Browser statistics for the last year

In order to understand the topic more in depth, let’s first look at which browser was the most popular last year-2012. Find below statistics for various commonly used browsers for the last year.

Internet Explorer – IE

IE is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. According to Cyberoam research, 17.1% users used Internet explorer in last year.

Firefox

Mozilla Firefox is a free and open source web browser, developed for Microsoft Windows, OS X and Linux coordinated by Mozilla Foundation and its subsidiary, the Mozilla Corporation. According to Cyberoam’s recent research data, 31% user used Firefox in last year.

Chrome

Google Chrome is a free web browser, developed by Google that uses the WebKit layout engine. According to the recent Cyberoam research data, 41% users used Chrome in the last year.

Conclusion

According to the Cyberoam research data, Chrome is used more than Firefox and IE and rest of browser.
Year Google Chrome Firefox IE Rest of Browser
2012(Last Year) 41% 31% 17.10% 10.90%

Types of common vulnerabilities that exist in the browser

Roughly 80% of browsers today are insecure, owing to the fact that they host a known vulnerability either in the browser itself, or due to a vulnerable plug-in, such as an outdated version of Shockwave, Flash, the Java runtime environment, or QuickTime, says a research conducted by vulnerability management and security policy compliance vendor Qualys.
The results are based on the inputs from 2,00,000 people who, over the past 6 months, used the company’s free Browser Check tool, which hunts for known vulnerabilities in Internet Explorer, Firefox, Chrome, Safari, and Opera browsers, running on Windows, Mac OS X, or Linux machines. About 10% of people who used the tool appeared to be doing so from a corporate network.
The most common insecure browser plug-ins in use were (in order):
  • Java
  • Adobe Reader
  • QuickTime
  • Flash
  • Shockwave
  • Windows Media Player
Total number of vulnerabilities that existed in the Browser across the last Three Year includes:
Total Vulnerability in last three years In browser % Browser Vulnerability
14578 2278 Approx 20% of the total vulnerability

Internet Explorer more secure than Chrome and Firefox

Last Three Year browser vulnerability

For many years, there were three alternatives to IE; Firefox, Safari and Opera. In 2008 Google announced a new web browser ‘Google Chrome’, which today is growing at an astonishing speed. Chrome quickly got into a battle with Opera for the title of speed king but at what cost remains the question.
As mentioned above, Google Chrome has emerged as the most used browser according to Cyberoam’s statistical data. In terms of the vulnerability rating (as shown in the figure below), Google seems to top here also, by bagging the maximum rate (53%) of vulnerability. This clearly implies that the wider the usage, more are the chances, to be targeted.

Source: The above chart is based on the data collected from NVD (National Vulnerability Database).
Links given below will help you to understand the recent rates of vulnerabilities for each browser separately (as shown in the figure above). The data is collected from NVD (National Vulnerability Database), which updates periodically. Whenever you visit these links you will find the latest vulnerability rates for the respective browsers.
For Mozilla Firefox :
http://web.nvd.nist.gov/view/vuln/search-results?query=Mozilla+firefox&search_type=last3years&cves=on
For Google Chrome :
http://web.nvd.nist.gov/view/vuln/search-results?query=chrome&search_type=last3years&cves=on
For IE :
http://web.nvd.nist.gov/view/vuln/search-results query=internet+explorer&search_type=last3years&cves=on

Current Scenario (Total vulnerability in browsers during the Last Three months)


Here we are taking the last three month browser vulnerability statistics and once again Google Chrome leads the ratio, with the 50% of total vulnerability.

Solution

Here are the four common steps practices that may help you fight this menace.
  1. As far as Cyberoam users are concerned, they just need to apply the appropriate IPS signatures into the LAN-WAN traffic, to stay secure.
  2. If you plan to download a new/different browser, make sure you are downloading a legitimate version. Go directly to the manufacturer’s site, and ignore ads or pop-ups that offer browser set-ups as they may be tricks to get you to install a corrupt version of the same.
  3. Set your online preferences to allow software updates. Some browsers, such as Internet Explorer and Safari, will automatically update with your operating system. But others, including Firefox, automatically update themselves to deploy security patches against, providing enhanced security features.
  4. Set your browser’s security settings to the highest possible limit, to prevent others from exploiting your browser.
  5. Disable pop-ups in your browsers or install security software that prevents pop-up windows. Deploying infected pop-ups is a popular way that hackers trick users into downloading malware.
Cyberoam in its annual Threat predictions has already predicted the rising need for Browser security in 2013. These findings and figures assert the predictions then made.
Being informed is the first step to protection! To stay updated about the recent happenings and news in the threat landscape, subscribe to Cyberoam Blogs, and get access to latest threat attacks, useful statists, details reports and much more.

Sources:

http://www.pcworld.com/article/150585/google_chrome.html
http://www.zonealarm.com/blog/index.php/2012/02/which-web-browser-is-the-most-secure
http://web.nvd.nist.gov/
http://cve.mitre.org/
http://www.w3schools.com/browsers/browsers_stats.asp
http://www.techzoom.net/publications/insecurity-iceberg/
http://www.neowin.net/news/internet-explorer-more-secure-than-chrome-and-firefox
Posted by MOHA at 8:54 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)