permanently, because using a browser
and in many cases prevents you from
visiting sites you have legitimate reasons to visit.
Cookies, while sometimes flushed to
solve a problem, are essential to many
Web sites, and having them disabled
will prevent a wide range of services
What is a Browser Designer to Do?
Browser developers have been working overtime to try and address some of
these issues— and with some success—
but it is definitely an uphill battle.
Proactive and reactive developers can generate an endless series of
software updates. As a responsible defender, your dilemma is that allowing
user these untested updates may break
applications or even introduce security
holes, but not allowing them may leave
your enterprise open to even more serious attacks.
Distributed management provides
some help in this area, but all major
browsers are weaker than many defenders would like them to be. Microsoft provides the free Internet Explorer
Administration Kit, which sets the bar
for enterprise browser deployment and
management tools, but that bar is lower
than many would desire. FirefoxADM,
an open source project for managing collections of Firefox browsers, is far more
limited but a step in the right direction.
FrontMotion provides a Web-based tool
that allows a defender to create packages
with approved software, configuration,
and plugins for Firefox. All are available
for the Windows platforms only.
Firefox and Google’s Chrome browser have implemented “sandboxes,” in
which code run by the browser (such
that provides only limited resources for
the program to run and whose design
is heavily scrutinized for security flaws.
Internet Explorer uses a zone-based security model, in which security features
are enabled or disabled depending
on what site is being accessed. Under
Vista, it runs in what is known as Protected Mode, which limits the operating system privileges that the browser
program can exercise.
However, open source developers
must be especially careful about design-
ing and implementing sandbox systems
because their sandbox source code is
available to the attacker for study and
testing. This is, of course, no surprise to
the sandbox developers and one reason
why open source sandboxes tend to improve quickly.
Browser developers have come up
with several ways to combat phishing
attacks as well, primarily heuristics to
detect an attempted visit to a fraudulent
site, techniques to aggregate lists of and
warn about known phishing sites, and
augmentation of login security.
Injection attacks are most properly
defended against at the server, but the
victim will often be the browser user, not
the server owner. Therefore, browsers
may implement policies that hamper
the injection attack by limiting where
resources may be accessed from within
a particular page.
Firefox has aggressively pursued a
strategy of patching known vulnerabilities and generates updates regularly.
Internet Explorer 7 is a significant improvement over Internet Explorer 6 in
this regard, though many more known-but-unpatched vulnerabilities exist in
IE 7 than in Firefox. Chrome seems to
be emulating Firefox, though it lacks
the mindshare of the other two at the
moment so fewer eyeballs are looking
critically at it for flaws. 3
Some browser developers are employing and refining their system for
detecting, reporting, and responding to
security flaws. Mozilla.org, the support
and development organization for Firefox, enlists open source developers to
assist with code reviews and offers open
bug tracking systems so that bugs can
be reported and the follow-up tracked.
From a defender point-of-view, these
efforts are a mixed blessing. Because
browser software may be freely downloaded from the Internet by any user, all
browsers are suspect. A prudent defender might hope that the browser is sufficiently rugged, but he cannot count on
that fact. Desktop *nix systems and Mac
OS X allow browser software to be run at
a lower permission level than Windows
often does, but that safeguard may be
circumvented by other user-driven configuration changes.
From a network security perspective, a
browser is essentially a somewhat con-
trolled hole in your organization’s fire-wall that leads to the heart of what it is
you are trying to protect. While browser
designers do try to limit what attackers
can do from within a browser, much of
the security relies far too heavily on the
browser user, who often has other interests besides security. There are limits
to what a browser developer can compensate for, and browser users will not
always accept the constraints of security
that a browser establishes.
As this issue gets more exposure,
browser developers are cooperating to
some degree to share strategies for defense. Google has published an excellent Browser Security Handbook1 that
compares various browser features and
Attack and defense strategies are co-evolving, as are the use and threat models. As always, anybody can break into
anything if they have sufficient skill,
motivation and opportunity. The job of
browser developers, network administrators, and browser users is to modulate those three quantities to minimize
the number of successful attacks.
And that is a very big job indeed.
Tom Wadlow and Vlad Gorelik
Cybercrime: An Epidemic
Building Secure Web Applications
1. google. Browser Security Handbook; http://code.google.
2. isecpartners. Attacking AJAX Applications; http://
3. Wikipedia. Comparison of Web browsers; http://
4. Wikipedia. http cookie; http://en.wikipedia.org/wiki/
5. Wikipedia. phishing; http://en.wikipedia.org/wiki/phishing.
6. Wikipedia. Xmlhttprequest; http://en.wikipedia.org/
Thomas A. Wadlow is a network and computer security
consultant, and the author of The Process of Network
Security, addison-Wesley professional, 2000.
Vlad Gorelik is vice president of engineering at aVg
technologies where he heads up the development of
behavioral malware detection and removal technologies.
previously he spent several years as Cto of sana security,
leading the company’s efforts in creating products to
fight malware. he has multiple patents and filed patent
applications in software technology and computer security.
© 2009 aCm 0001-0782/09/0500 $5.00