A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.
Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.
The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.
The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.
Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.
For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."
But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
Imagine if the food industry was not accountable for selling spoiled milk.
Opera 9.5, code-named Kestrel, on Thursday became available for download for Windows and Mac.
The new version of the browser, whose release candidate was released earlier this week, is a security-enhanced version of Opera 9. It includes antiphishing protection from Netcraft and malware protection from Haute Secure, as well as support for Extended Validation Secure Sockets Layer (EV SSL).
The browser also has a new "eurotechno" look and feel, a QuickFind address bar feature, better synchronization with its mobile cousin, and a Speed Dial feature for visually bookmarking nine of your favorite sites.
Scandinavia-based Opera Software still finds its browser in fourth place, behind Microsoft's Internet Explorer, Mozilla's Firefox, and Apple's Safari, in terms of overall browser market share.
Correction, 3:40 p.m. PDT: This story initially misspelled Dan Kaminsky's last name.
On Friday at Microsoft's Blue Hat conference in Redmond, Wash., Alex "Kuza55" K. of SIFT challenged the software company and others to build a better Internet browser by detailing the many ways browsers fail to parse malicious code.
In the talk, Kuza55 included details on how various attacks use logged out cross-site scripting (XSS), cross-site reference frame-protected cross-site scripting, JavaScript hijacking, session fixation, XSS reference frame token fixation, and CSRF vulnerabilities to compromise desktop Internet browsers. The talk was provided to CNET as a PowerPoint presentation.
Dan Kaminsky, of IOActive, told CNET News.com that Kuza55 talked about the "obscure internal elements of things you can do to Web browsers. Like how to use browsers to attack other protocols. Or how to use text in a browser to attack other particular protocols."
Kuza55 started his talk by showing ways to use browser cookies for XSS attacks. In one method, "by abusing the path attribute (within a cookie) we can effectively overwrite cookies very specifically, or for the whole domain by setting lots of them." Kuza55's noted that in Firefox and in Opera there is a limit to the number of cookies that can be stored within each browser, with the oldest cookie being removed to make room for the new. Thus, it is possible for an attacker to overwrite the existing cookies in these browsers by exhausting the limit. Internet Explorer does not have such a limit.
The talk also addressed potential abuses of the FindMimeFromData function, discussed one directory transversal bug within Flash 9.0.124.0, and how to use 7-bit Unicode Transformation Format (UTF-7) as a means to inject encoded meta tags or encoded cross-site scripting into a browser. For the latter, Kuza55 cited the work of Yosuke Hasegawa.
Kuza55 also mentioned abuses of HTTP protocol, DNS, and subdomains. He faulted the browser makers several times for not providing enough documentation, and said he had to use trial and error to make these findings. Despite that, he's continuing his research.
In a paper (PDF) presented at the Usability, Psyschology, and Security Conference 2008 in San Francisco, researchers from the University of California at Davis warned that browsers within popular electronic gadgets often eliminate important security features available on desktop browsers.
Researchers Yuan Niu, Francis Hsu, and Hao Chen looked at the Mobile Safari browser in Apple iPhone, as well as the Opera browser included in the Nintendo Wii and DS gaming systems. In general, they cited the reliance on screen typing as a deterrent to typing in known URLs. They said users are more likely to click on URLs presented in an e-mail.
They also said reduced screen sizes tend to force the address bar off the screen. On the Nintendo DS, only the first 22 characters display. They gave an example of a page called www.bankofamerica.com.phishydomain.com, which would be truncated to simply www.bankofamerica.com.
On the iPhone, the researchers said a simple ScrollTo() JavaScript could knock the address bar off the Safari screen. In the paper, they gave an example in which JavaScript directs the page to load somewhere in the middle, forcing the address bar off the top of the page.
Even when the address bar is visible, the researchers were able to use JavaScript to overwrite the bogus address with a more legitimate address. The overwrite trick could also lead the user into thinking a site was Secure Sockets Layer (SSL)-protected when it was not.
On the Nintendo Wii, the researchers found that the URL bar disappears when the page is loaded.
The researchers state that porting the traditional browser to a mobile device requires some foresight, and they suggest that even built-in features within browsers are ignored by users. They suggest instead that vendors use a proxy to filter out phishing before routing the pages to the devices.
- prev
- 1
- next
