And yet, to make that fortress useful
to us we demand that holes be chopped
through the walls to permit us to run
a Web browser. We complain if that
browser is not given enough access to
the rest of the computer. We insist on
ease of use and speed, even if it makes
all of our other defenses meaningless.
And in many cases, we use browsers
downloaded from the Internet without
precaution, and configured by the owner of the desktop who has no security
training or interest.
Browsers are at the heart of the Internet experience, and as such they are
also at the heart of many of the security
problems that plague users and developers alike.
Web page. It is a powerful tool, but one
that is open to a number of attacks. 2
programs written by unknown third
parties to run within the browser. Yes,
there are sandboxes and safeguards,
but as any attacker will tell you, a big
step toward penetration is getting the
target machine to run your code.
the use model is evolving…
Key features of early browsers included
encryption and cookies, which were
fine for the simple uses of the day.
These techniques enabled the start of
e-commerce, and monetizing the Web
was what brought in the rest of the problems. Attackers who want money go
where the money is, and there is money
to be had on the Web.
Today, users expect far more from
a browser. It should be able to handle
sophisticated banking and shopping
systems, display a wide variety of media,
including video, audio, and animation,
interact with the network on a micro
scale (such as what happens when you
move the cursor over a DVD selection in
Netflix and see a summary of the movie), and update in as close to real time as
possible—all without divulging sensitive information to bad guys or opening
the door for attackers.
page can contain code that establishes
a network connection back to a server
and conducts a conversation with that
server that might bypass any number
of security mechanisms integrated into
the browser. The growing popularity
of AJAX as a user-interface technique
means an enterprise network often allows these connections, so that popular
sites can function correctly.
The underlying mechanism of AJAX
(which, despite the name, may not
Asynchronous), is a function called XMLHttpRequest, originally introduced
by Microsoft for Internet Explorer, but
now supported by Firefox, Safari, Opera
and others. XMLHttpRequest allows a
part of a Web page to make what is effectively a remote procedure call to a
server across the Internet and use the
results of that call in the context of the
…and So is the threat model
Early browsers had several major and
noteworthy vulnerabilities, but they also
had fewer types of attackers. The early
attackers tended to be motivated by curiosity or scoring points with their peer
groups. Modern browsers must defend
against increasingly well-organized
criminals who are looking for ways to
turn browser vulnerabilities into money. They are aggressive, methodical, and
willing to try a variety of attacks to see
what works. And then there are those
who work in gray areas, not quite violating the law, but pushing the envelope as
much as possible to make a few dollars.
With more aggressive threats come
more aggressive defenders. Security experts wanting to make names for themselves can release vulnerability information about browsers faster than browser
developers may be prepared to react.
While the roots of this type of disclosure
Security Risks Visualized
malwarez is a series of visualization of worms, viruses,
trojans, and spyware code by alex Dragulescu. for
each piece of disassembled code, aPi calls, memory
addresses, and subroutines are tracked and analyzed.
their frequency, density, and grouping are mapped to
the inputs of an algorithm that grows a virtual 3D entity.
Tro jan Agent.IL
PWSLineage: this trojan steals the
account information for the game called
“Lineage ii” from the victim’s machine.
there are several variants of the trojan.