More than just the browser

One of the questions I frequently get asked by customers is “Which browser do you recommend?“. My answer has been the same for a while now – it depends entirely upon the user and their environment. Of course, for home use I have my personal preference, based on a combination of usability, performance and availability of plug-ins (e.g. NoScript, Flashblock). But there is no ‘one-size fits all’ answer. For those interested, Mark posted an interesting blog entry a few weeks ago discussing aspects of controlling the browser within your organization.

The point of this blog entry is to emphasize the fact that it is not just about the choice of browser. The malicious scripts used in drive-by attacks regularly target browser plug-ins as well. In fact, as we move towards an increasing amount of content being accessed through the browser, the scope for the attacker widens. A couple of recent events provide perfect examples of this.

  1. Flash. Once something of a rarity on web sites, Flash content is now somewhat ubiquitous. This leads to a widespread acceptance of Flash content, which makes it all the more serious when an exploitable vulnerability within the SWF format is found, as was the case last week [1]. Since then, attacks exploiting this vulnerability have been seen in the wild [2]. Given the links to the widespread SQL injection attacks, I would say there is little doubt that users are being heavily exposed to these malicious SWF files. Couple this with increased reports of malicious Flash content being used in poisoned ads, and it is clear we need to regard Flash content with a certain amount of suspicion.
  2. PDFs. There was a time when PDFs where considered to be 100% safe. This is certainly no longer the case. Previously we have blogged about malicious PDFs being used to infect victims with a keylogging Trojan [3]. Earlier today I was analyzing a web attack that happened to use a malicious PDF to exploit a fairly recent vulnerability in Adobe Reader [4,5].

Ensuring you are using the latest, patched browser does not necessarily protect you from threats such as these. You need to dig a little deeper and check other applications and plug-ins installed on the machine. In cases where there is not a patch available but the vulnerability is public and being exploited by malware, users are left with the option of removing the application or disabling the plug-in. This is not a simple situation for administrators to manage. Back in February there was sufficient anguish for SANS to published a small tool to assist Windows users in defending against several vulnerable ActiveX controls that were being targeted at that time [6].

And what of the future? I suspect there may be an increased desire for more granular control over the type of incoming web content. We are quite accustomed to fairly aggressive restrictions on file attachments sent through email, and though doing something similar for web traffic is definitely different, and more complex, the benefits may well start to outweigh the cost.