The False Promise of Browser Security
Oct 11, 2006 4:00 AM PT
Internet users are under attack -- and what's more, there's no bulletproof defense against hackers on the horizon. Despite hype to the contrary from marketing departments at Microsoft, Apple and Mozilla, Web browsers themselves -- not just the operating systems that run them -- are to blame for many security flaws.
Vulnerabilities are so embedded in any browser that surfing the Web is no safer than driving a tank through a mine field while blindfolded. Sooner or later, you will run over a mine. Internet surfers cannot escape inevitable hits by attackers. For those surfing the Web, the risk of identity theft, phishing attacks and malware infection is always lurking.
Avoiding obvious malware havens like porn and game sites can only help reduce attack risks by a little. Not using Microsoft's Internet Explorer -- either the current version or the soon-to-be released version 7.0 -- will likely do little more than delay the inevitable attack.
"All browsers have exploitable vulnerabilities. What matters most now is which one is less likely to get hacked," Jeremiah Grossman, founder and CTO of Whitehat Security, told TechNewsWorld.
"[Mozilla's] Firefox is the choice to use to stay out of the fray," he maintained.
All Web browsers are insecure to some degree, though, because they all must work with flawed code in the operating systems. There are some indications of progress, such as frequent patches from Microsoft and Mozilla to close security holes. Still, these actions may be too little too late if a zero-day exploit is the attack weapon.
"[Internet Explorer] and Firefox are about the same in terms of the access to vulnerabilities. The only distinction is that Firefox does not use ActiveX," explained Shimon Gruper, vice president of technologies for Alladin eSafe Business Unit.
"ActiveX allows Web-based applications to run on the local computer until the task is complete. This is very insecure," he explained.
"There is no way to be fully protected from a vulnerability. For the short term, there is not much that anybody can do to fix this," Grossman added.
That bleak assessment of browser security was echoed by Nate Lawson, engineering director for Cryptography Research -- a company that evaluates and analyzes technologies and systems for security firms.
Apple computer users tend to feel less under the gun when it comes to security, but using the Safari browser offers little or no reprieve.
"None of the browsers -- [Internet Explorer], FireFox or Safari -- are designed with security architecture in mind. None are very different," Grossman maintained.
User Base Targeted
The choice of browser determines whether a computer user will be squarely in the firing line or slightly out of attackers' crosshairs. The Microsoft Internet Explorer browser has a much larger user base -- about 82 percent -- so hackers target it, reported Gruper.
"The bad guys are mostly going after the most users, which is the Microsoft Internet Explorer. Firefox is not attacked as much. It isn't any more secure -- just not targeted as often," Grossman pointed out.
Criminals have invested time and money to hack into Internet Explorer because that is where most users are, Gruper echoed.
The Macintosh browser, Safari, has a smaller user base, he noted, but it is not any less vulnerable from a technological perspective.
Safari is similar in design to Firefox but is not otherwise significantly different from Internet Explorer, added Lawson.
Browser Structure Faulty
The Windows platform takes a lot of heat over security because it gives users full administrator's rights, which means that rogue program code and hackers can obtain full access to the system. Internet Explorer is less secure than other browsers because any flaw in the browser compromises the entire operating system, Lawson maintained.
That will change somewhat for the better with IE 7.0 running on Microsoft's new operating system, Vista, suggested Gruper. Vista will offer better security because user rights are more restricted. Even IE 7.0 running on Windows XP will be more secure.
All of the browsers are designed compartmentally, according to Lawson, which means that various tasks -- such as rendering images to the screen, maintaining HTTP connections -- are built into integrated compartments. No single compartment restricts privileges or access to the other.
One of the most effective measures users can take to lower their vulnerability to intrusion is to disable Java scripts and Microsoft's ActiveX features in Internet Explorer, suggested Grossman. Of course, that makes it impossible to view some Web sites or, at best, allows limited visibility.
Firefox is better at configurability, which might lessen risk levels, according to Lawson. He recommends disabling functions that aren't being used and installing the flash block extension.
Internet Explorer has a higher attack surface, he noted, mostly due to ActiveX and Java script. These expose every scriptable component on the entire operating system.
As Grossman sees it, the browser security situation is getting worse, because the Web has become the new battleground used by the bad guys seeking new sources of money. There is no need for attackers to go after the operating system anymore.
"The entrance is within the bowels of browsers. That's where the success is," he said.
Windows or Mac?
The old saw that Apple computers are not vulnerable to adware, spyware and viruses is pure bunk, said Mark Loveless, senior security researcher at security firm Network Access Control. "All browsers have problems -- period," he said.
He credits Microsoft with doing a better job lately with security patches, but he is quick to add that Microsoft has a long way to go to solve security problems.
"It still takes Microsoft too long to issue critical patches," Loveless said.
"Firefox has always moved quickly and posts complete information on its bugs and what the patches or upgrades fix. Often, Microsoft issues silent patches so users do not know what is going on," he complained.
Apple, on the other hand, arrogantly says that its Safari browser is secure and that no one bothers them, Loveless said, but now hackers are starting to build attacks against it.
"Safari is made vulnerable for the same reasons as any Windows browser. Safari uses common pieces of Apple code," he pointed out, "so hackers have a common pool of code to attack. Until now, hackers have gone where the most users are -- Windows computers. That is now starting to change."
No Silver Bullet
The browser security situation is pretty much hopeless today, in Gruper's view.
"There is no chance of fixing it for the consumer. The only option is for software developers to augment security by third-party programs that will limit exposure," he concluded.
To fix browser threats, the industry needs a concerted effort to redefine operating boundaries for software running on a computer, Lawson concurred. He sees Vista as a good step forward.
"Application authors need to do more security in their own program code. They have to define restrictions and privileges," he urged.