Categories: Security

Web Browsers Need Better Security

Web browsers remain a target for security exploits by hackers. A report from Cenzic together with the recent Pwn2Own hacking contest at CanSecWest, highlights the need to keep boosting browser security.

From Microsoft’s Internet Explorer 8 to Apple Safari, popular Internet browsers took a public beating the week of 16 March. Even as hackers continue to focus most of their attention on Web applications, exploits targeting the browser always make juicy tidbits for black hats.

In Cenzic’s Web Application Security Trends Report, (PDF) released 18 March, the vulnerability assessment and risk management software company found that there was 7% increase in the number of browser vulnerabilities in the second half of 2008. Microsoft Internet Explorer accounted for 43% of that total, with Mozilla Firefox following closely with 39%. Apple Safari and Opera Software’s Opera browser accounted for 10% and 8%, respectively.

Then there was the Pwn2Own contest. Hosted by TippingPoint, the annual hacking event at CanSecWest this year saw security on IE, Safari and Firefox all go down for the count.

With all this as a backdrop, it should be noted that browser security in general is improving, some researchers said. The past few years have seen an increasing amount of security built into browsers, ranging from IE 8’s cross-site scripting filter to the sandboxing in Google Chrome, which Charlie Miller, one of the prize winners at the 2009 Pwn2Own event, said limits the amount of damage that can be done.

“Most vendors have become [resigned] to the fact that bugs will always exist,” said Miller, an analyst with Independent Security Evaluators. “That means what is left is making it impossible to exploit the vulnerabilities and do malicious acts. So sandboxing is another hurdle the bad guy will have to get through.”

Anti-phishing features in the major browsers have also helped make them more secure. But that can be augmented with whitelisting services, Gartner analyst John Pescatore said.

“[In addition,] businesses really, really, really need a way to tell if a human is operating the browser, or is this connection coming from a spider or botnet client or screen-scraper,” Pescatore said. “The browser guys could work with the Web app server—Microsoft and Apache … to come up with some way of the browser declaring ‘a local keyboard is operating me’ would be a huge help [in] fighting automated fraud.”

Still, efforts to authenticate active code such as IE’s Authenticode, wean users off using cookies to remember user names and passwords, or detect pass-through attacks such as buffer overflows have not met with broad success, said Eric Ogren, principal analyst with The Ogren Group. The fundamental problem is the standard usability versus security argument.

“Browsers have to serve so many needs that their attack surfaces are exceptionally difficult to secure,” Ogren said. “The biggest problem is that classic security techniques constrain the user experience to the point where the browser will not be used.”

Brian Prince eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

2 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

5 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

7 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

22 hours ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago