Attacks on client-side applications also take the form of a malicious website targeting a vulnerability in the visitor’s web browser and its add-ons. Locking down the browser and the software it can invoke helps mitigate the risk of this attack vector.
Drive-by exploits against Java Runtime Environment (JRE) have been particularly effective lately, allowing code that runs within the browser to escape JRE’s sandbox and install local malware. Adobe Reader has been another common target. As another example, an Internet Explorer exploit released in mid-December was able to exploit a flaw in the browser by targeting a DLL that was not compiled with ASLR and DEP security features.
To make it harder for a malicious website to access the operating system of the visitor’s computer, Google Chrome and Internet Explorer ship with sandboxing features. Recently-released Adobe Reader X also includes a sandbox with the same goal in mind. The increased availability of such application sandboxes means that the attackers will need to utilize two exploits: one to affect the vulnerable browser or add-on moduile and another to break out of the sandbox.
Resisting exploits that target the browser and its add-ons also involves tightening the application’s settings, for instance to disable unwanted features and to configure trust zones. Enterprises need to be able to do this centrally, usually using the Group Policy feature of Active Directory. Internet Explorer supported Group Policy-based deployment and setup for a while. Google Chrome now supports Group Policy as well.
Another component of the defense against attacks that target the browser and its add-ons involves regularly applying security updates. Enterprise Management System (EMS) tools can help accomplish this across a large number of computers. Secunia Personal Software Inspector (PSI) is a great free tool to keep up with security patches of a single personal computer.
Individuals can also visit Mozilla’s Plugin Check page to identify which of the installed browser plugins are outdated and might have known vulnerabilities. The page works with Firefox, Chrome and Opera; its support for Internet Explorer is very limited. Users of Google Chrome can also use the Secbrowsing extension to accomplish this.
This note is part of a series that explores attacks that use the web browser. Other posts in this series are:
- Three Web Attack Vectors Using the Browser
- Mitigating Attacks on the User of the Web Browser
- Mitigating Attacks on Web Applications Through the Browser