Web browsers are the primary target for many attackers these days, because so much sensitive data passes through them. From casual shopping to enterprise management systems to military operations, browsers have become the primary vehicle people use to access network-connected systems. Unfortunately, browsers have a long and storied history of vulnerabilities that have provided attackers with a lucrative and near-endless supply of victims upon which to prey. Quarri Technologies, Inc., a Web information security software company, has identified some of the top vulnerabilities attackers use against browsers.
Note: This slideshow is focused on browser vulnerabilities, not website vulnerabilities (SQL injection attacks, XSS, XSRF, et al). The distinction is subtle but important.
Click through for the top five vulnerabilities attackers use against browsers and ways you can minimize your chances of being a victim of these attacks, as identified by Quarri Technologies, Inc.
Code execution exploits in the browser
Ways to avoid: Turn on automatic updates in Windows and in your browser of choice. This type of vulnerability is usually quickly patched by the browser or OS vendor, and so attackers have a very short window in which to use it against fully updated systems. You’re probably not the target that they’re going to use this rare and valuable zero-day against.
Code execution exploits in plug-ins
Plug-ins are probably the most well-known vector for drive-by downloads (attacks that silently download and run native code on your system). From Flash to Silverlight to Java, even plug-ins from large, reputable vendors have been repeatedly found to have vulnerabilities used in malware attacks. Like browser exploits, vulnerabilities of this type are typically patched by vendors in short order, but outdated copies of browser plug-ins far outnumber the updated ones.
Ways to avoid: Keep your plug-ins updated, and uninstall plug-ins and extensions that you don’t use. Browsers are getting better at warning users about outdated plug-ins, so don’t ignore the warnings.
Advanced persistent threats
Advanced persistent threats (APTs) have gotten a lot of press in the last few years (ever hear of Stuxnet?). This type of attack quietly installs malicious code on an endpoint and then steals data (keystrokes, screen shots, browser activity) or even modifies what the user sees in their browser, sometimes going undetected for years. These attacks use myriad methods to get installed, many not related to the browser – for example, via an infected thumb drive or a hostile email attachment. But since so many sensitive interactions occur via the browser, most of these types of attacks put a high priority on stealing data from the browser.
Ways to avoid: Install a good antivirus product, and just use common sense – don’t pick up random thumb drives, open suspicious email attachments, or visit porn sites on your work computer. Don’t take a laptop to defcon.
An attacker who has access to any point in a network connection between a user and sensitive websites (a “man in the middle”) has the opportunity to observe and modify traffic as it passes between the browser and the Web server(s). Websites that use TLS (sites whose addresses start with “https”) help defeat this, because an attacker of this type has a very hard time faking the cryptographic certificate used by the server to authenticate itself to the browser. However, attackers know that a lot of users have been conditioned to just click through warnings when they appear, and so they can use an invalid/forged certificate and in many cases users will ignore the browser’s warnings.
Ways to avoid: Don’t ignore browser warnings. When in doubt, try a different machine or Internet connection, or just wait to conduct your sensitive transaction later.
Attackers can poison the DNS system (think of this as the phone book your browser uses to locate a site’s IP address by its name) at several different stops. Your machine caches DNS entries and this cache can be poisoned. A special file on your machine can be modified to override DNS servers for certain Web addresses, and DNS servers themselves can even be compromised and forced to serve up bad IP addresses for reputable sites. Once the attack is in place, your browser will contact an attacker’s server instead of the legitimate server for any targeted website. Attacks like this typically target banks and other financial institutions, fooling users long enough for them to give up account credentials, which are then used to empty their accounts.
Ways to avoid: Always look for “https” at the beginning of the site’s address when visiting a sensitive website to do financial transactions, and (again) don’t ignore browser warnings. Attackers who have poisoned your DNS lookups still can’t forge the certificates used for TLS, so in many cases they’ll use a non-TLS (“http://…”) address and hope users don’t notice.