Monday, December 22, 2008

Forget the antivirus on your OS, make sure your Internet browser is protected!

Lately there have been some industry recommendations to not use IE due to the recent security hole involving ALL versions of IE.

The latest exploit
The XML-based attack involves nested SPANs in a cross-site scripting attack using XML Data Islands to cause a heap overflow. After the heap corruption occurs, a payload can be executed on the browser's system. A payload is basically an encoded call to the operating system. A payload can be something as harmless as launching the desktop utility, or as dangerous as formatting or removing data from your hard drive. On the web, a hacker has posted sample code to launch the calculator on a user's system. Complete instructions also show how to create any payload to replace the sample calculator code.

Microsoft has posted workarounds and has issued a security update for IE 7, but the fact remains that this was a very big hole in IE. Approximately 80% of all documented security vulnerabilities are cross-site scripting attacks. This exploit was a specialized cross-site attack, known as a cross-zone scripting attack, which means that code can be executed outside the normal permissions that are available.

Why browsers are vulnerable
At a high-level, when you enter a web page server address and hit enter, the web server returns a text file to your browser. The text file contains two types of data:

1. Data and formatting instructions (HTML), and
2. Script code and/or references to plugin content (Javascript, VBScript, Flash) to execute functionality from your web browser.

Exploits can occur when the user navigates to a bad web site that returns infected script code/plugin content back to the user's browser. Most of the time, script code is beneficial to running a web application, an example is Gmail.

Two normal security techniques to stop threats are blacklisting and whitelisting.

Blacklisting

Blacklisting began years ago by providing surfers a place to list bad sites within the browser preferences. If a user attempted to navigate to one of the listed sites, it would not be displayed in the user's web browser. The problem is that most users do not know which sites to list, and for the most part, this option has not been used.

Blacklisting has evolved into web site lists provided by third parties. Firefox anti-malware preferences and Opera anti-malware preferences are available in the browsers to check against downloaded lists by default. IE 7 uses a phishing filter that checks web sites against a remote database, but this technique has been known to cause performance issues.

Another option is to change your network settings to use OpenDNS. OpenDNS has been recommended by FaceBook and is a great way to provide a solid level of third party blacklist protection, regardless of the web browser used.

Whitelisting
Whitelisting takes extreme measures, and considers all web sites unsafe by default. The U.S. government recommends this approach, and has listed instructions on how to configure popular browsers. Basically this technique involves first disabling script code and then using browser preferences to allow script code on specific sites that the user considers safe. Opera "Site Preferences" or the Firefox NoScript add-on allow a user-friendly way to do this. IE "Internet Zones" can also be configured, but it requires a greater learning curve.

Don't forget to scan

Although the title of this article says to forget the antivirus software, it is still advised to perform a virus scan on any file that is downloaded prior to opening, especially from an unfamiliar website. Free virus scanners are listed on the FaceBook security page. Mac users should get by using the blacklisting technique, but Windows users should seriously consider moving to using a whitelisting strategy, since most threats target Windows users.

No comments: