The IBM X-Force report about which I blogged yesterday does a great job of highlighting the state of Internet security. The findings that 78 percent of exploits are aimed at browser plug-ins and that 94 percent of browser exploits happen within a day of disclosure are informative and a bit scary.
The key, of course, is finding better protection. eWEEK describes some of the techniques that the bad apples are using, which overlap: The malcontents are creating malicious sites so quickly that software can't keep up and injecting code that hijacks visitors into otherwise legitimate sites. http://www.eweek.com/c/a/Security/Rethinking-Web-Browser-Security/The eWEEK piece also describes new approaches used to combat these threats. They include, the writer says, reputation validation, in-line traffic scanning and behavioral analysis. A particularly intriguing approach that the writer says is being used by Trend Micro is changing from the traditional system in which signatures of dangerous code are constantly updated to one in which machines query the cloud for information about threats. The approach, which could be a grand use of emerging cloud infrastructures, responds to emerging threats within 15 minutes, according to the firm.
This is a well-told tale at InfoWorld of a clever exploit called Evilgrade. The description also is a sign of how smart the bad guys are. Many operating systems and applications offer automatic updates to keep them secure. Evilgrade is a nefarious system for intercepting the update requests and sending malicious code to the waiting application or operating system.
So far, the story says, Evilgrade can be used with several applications and OSes, including the Java browser plug-in, Mac OS X, the LinkedIn Toolbar, iTunes and others. The good news is that an existing man-in-the middle situation must exist: An Evilgrade site must be sitting between the end user and the legitimate site. This is precisely the type of problem made possible by the DNS flaw that has dominated security news in recent weeks.
The browser producers are paying attention. This SecurityFocus interview takes an exhaustive look at security in Firefox 3.0, while many similar-sounding features are in Internet Explorer 8, which currently is in beta.
It is tempting to say that the state of online security is dire. There are serious challenges, but it is more accurate to say that it is at a crossroads and that it is up to vendors and researchers to find new technical and structural ways to combat an increasingly organized and automated criminal element.