Browser Bugs, Attacks Expected to Mount

Window Snyder, chief security officer at open source browser maker Mozilla, is caught in the crosshairs of the raging browser vulnerability battle.

On one hand, her company launched an upgrade to its Firefox browser on Feb. 23 that specifically aims to fix a number of flaws that have been discovered in the program.

On the other hand, she's dealing with almost daily reports of newly identified vulnerabilities in Firefox disclosed by a researcher who makes his work public before informing Mozilla of the problems.

As trying as the situation may sound, Snyder admits that the day's conflicts come with the territory of her job and those of security experts at every other browser maker.

With the high-profile nature of the browser in today's Internet-based economy, working to eliminate vulnerabilities, respond to researchers, and ward-off malware attacks will remain a large part of the daily routine for the foreseeable future, according to the CSO.

Snyder said that Mozilla is receiving a lot more customer feedback of late from people concerned about browser security.

"The browser is one of most critical pieces of software on the computer in terms of something attackers are going after," Snyder said. "Attacks are constantly changing and every software developer needs to recognize new threats as they emerge, but that's nothing new, we've always considered security to be a top priority."

Despite Mozilla's ongoing security efforts, Firefox has come under intense scrutiny from Michal Zalewski, a well-known independent security researcher who has published a collection of previously undiscovered vulnerabilities in the browser during the month of February.

The Firefox security update was already delayed several days so that Mozilla could address an issue published by the researcher earlier this month dubbed the location.hostname vulnerability.

And on the eve of Mozilla's release of the revamped browser, dubbed Firefox, Zalewski published information about yet another flaw in the product involving a memory corruption issue that could allow attackers to take control of computers running the software. Phishing and spoofing threats are among the attacks likely to be aimed at the latest issue, according to Zalewski.

Although Snyder said she would prefer it if Zalewski and other researchers would disclose vulnerabilities to Mozilla before taking them public, she said the company relies on such experts to help it keep customers protected from attacks, as painful as the reports may be.

"We would prefer that he would notify us first, but more importantly we are glad researchers are looking at Firefox and helping us fix problems," the Mozilla CSO said. "We also see where the researchers are coming from, in terms of their frustration with the amount of time vendors are taking to fix vulnerabilities."

Snyder hopes that as Mozilla improves its ability to patch flaws faster, researchers will work more closely with the nonprofit company. The software maker is also developing a range of new security features for use in the Firefox 3 iteration of the browser, code-named "Gran Paradiso," that is slated to arrive sometime in the second half of 2007.

Much of the work is focused on improving users' capability to understand and manage their online credentials, the CSO said.

Security researchers maintain that attacks on browser vulnerabilities are only going to increase in volume and frequency, in particular during 2007.

According to experts at IBM's newly acquired ISS business unit, which is based in Atlanta, the continued emergence of the "exploits as a service" business, through which malware code writers market their attacks to cyber-criminals via underground channels, will only add fuel to the fire.

In another daunting development, roughly 50 percent of the browser attacks observed by ISS' X-Force research team during 2006 used encryption to hide themselves and the data they attempted to steal, with the group expecting use of such tactics only to grow during 2007.

"Attackers have honed into Web browser vulnerabilities because the amount of protection people have to defend against these types of threats is not as advanced for many end users," said Gunter Ollmann, director of security strategy at IBM ISS. "In addition to the underground communities where exploits are being bought and sold, it's also become much easier for attackers to build engines that sit on Web servers and generate personalized browser attacks."

Ollmann said that such threat engines are being armed with increasingly sophisticated levels of programming logic, giving them the capability to look at the specific version of a browser someone is using and launch attacks specifically aimed at the programs. Malware code writers are also sharing libraries of IP addresses known to be used by security researchers to help avoid detection of their latest work, Ollmann said.

Another breed of emerging attack attempts to insert itself between end-users' keyboards and browsing programs to steal data and circumvent the security tools being added to the programs.

The so-called "man-in-the-browser" threats have already been found lurking in high-value online transactional systems operated by financial services companies, where they seek to intercept valuable information as it entered by customers, said Dr. Chenxi Wang, analyst with Forrester Research.

The spiraling complexity of such threats serves as strong evidence that the battle between malware writers and browser makers is only beginning to heat up, and will continue for some time, the analyst said.

Wang believes that one answer to the security problem will be for browser makers to adopt more rigorous software development efforts to minimize vulnerabilities, but even those improved processes won't catch every flaw.

Microsoft's Security Development Lifecycle (SDL) program, for instance, appears to have lowered the number of vulnerabilities in its newest Internet Explorer 7 browser compared to earlier versions of the product, but the company has already been forced to patch at least one critical flaw in the software, which was released in Oct. 2006.

"This is going to be an arms race that is ongoing for the foreseeable future," Wang said. "There is no excuse for people on the defense side not to be more proactive with security and use better mechanisms during software development to protect against future attacks, but the attackers will always have some new approach as well."

This story, "Browser Bugs, Attacks Expected to Mount" was originally published by InfoWorld.

Shop Tech Products at Amazon