Skip to comments.The False Promise of Browser Security
Posted on 10/11/2006 6:22:16 PM PDT by Swordmaker
All Web browsers are insecure to some degree, because they all must work with flawed code in the operating systems. There are some indications of progress, such as frequent patches from Microsoft and Mozilla to close security holes. Still, these actions may be too little too late if a zero-day exploit is the attack weapon.
Internet users are under attack -- and what's more, there's no bulletproof defense against hackers on the horizon Despite hype to the contrary from marketing departments at Microsoft (Nasdaq: MSFT) , Apple (Nasdaq: AAPL) and Mozilla, Web browsers themselves -- not just the operating systems that run them -- are to blame for many security flaws.
Vulnerabilities are so embedded in any browser that surfing the Web is no safer than driving a tank through a mine field while blindfolded. Sooner or later, you will run over a mine. Internet surfers cannot escape inevitable hits by attackers. For those surfing the Web, the risk of identity theft, phishing attacks and malware infection is always lurking.
Avoiding obvious malware havens like porn and game sites can only help reduce attack risks by a little. Not using Microsoft's Internet Explorer -- either the current version or the soon-to-be released version 7.0 -- will likely do little more than delay the inevitable attack.
"All browsers have exploitable vulnerabilities. What matters most now is which one is less likely to get hacked," Jeremiah Grossman, founder and CTO of Whitehat Security, told TechNewsWorld.
"[Mozilla's] Firefox is the choice to use to stay out of the fray," he maintained.
All Web browsers are insecure to some degree, though, because they all must work with flawed code in the operating systems. There are some indications of progress, such as frequent patches from Microsoft and Mozilla to close security holes. Still, these actions may be too little too late if a zero-day exploit is the attack weapon.
"[Internet Explorer] and Firefox are about the same in terms of the access to vulnerabilities. The only distinction is that Firefox does not use ActiveX," explained Shimon Gruper, vice president of technologies for Alladin eSafe Business Unit.
"ActiveX allows Web-based applications to run on the local computer until the task is complete. This is very insecure," he explained.
"There is no way to be fully protected from a vulnerability. For the short term, there is not much that anybody can do to fix this," Grossman added.
That bleak assessment of browser security was echoed by Nate Lawson, engineering director for Cryptography Research -- a company that evaluates and analyzes technologies and systems for security firms.
Apple computer users tend to feel less under the gun when it comes to security, but using the Safari browser offers little or no reprieve.
"None of the browsers -- [Internet Explorer], FireFox or Safari -- are designed with security architecture in mind. None are very different," Grossman maintained.
User Base Targeted
The choice of browser determines whether a computer user will be squarely in the firing line or slightly out of attackers' crosshairs. The Microsoft Internet Explorer browser has a much larger user base -- about 82 percent -- so hackers target it, reported Gruper.
"The bad guys are mostly going after the most users, which is the Microsoft Internet Explorer. Firefox is not attacked as much. It isn't any more secure -- just not targeted as often," Grossman pointed out.
Criminals have invested time and money to hack into Internet Explorer because that is where most users are, Gruper echoed.
The Macintosh browser, Safari, has a smaller user base, he noted, but it is not any less vulnerable from a technological perspective.
Safari is similar in design to Firefox but is not otherwise significantly different from Internet Explorer, added Lawson.
Browser Structure Faulty
The Windows platform takes a lot of heat over security because it gives users full administrator's rights, which means that rogue program code and hackers can obtain full access to the system. Internet Explorer is less secure than other browsers because any flaw in the browser compromises the entire operating system, Lawson maintained.
That will change somewhat for the better with IE 7.0 running on Microsoft's new operating system, Vista, suggested Gruper. Vista will offer better security because user rights are more restricted. Even IE 7.0 running on Windows XP will be more secure.
All of the browsers are designed compartmentally, according to Lawson, which means that various tasks -- such as rendering images to the screen, maintaining HTTP connections -- are built into integrated compartments. No single compartment restricts privileges or access to the other.
One of the most effective measures users can take to lower their vulnerability to intrusion is to disable Java scripts and Microsoft's ActiveX features in Internet Explorer, suggested Grossman. Of course, that makes it impossible to view some Web sites or, at best, allows limited visibility.
Firefox is better at configurability, which might lessen risk levels, according to Lawson. He recommends disabling functions that aren't being used and installing the flash block extension.
Internet Explorer has a higher attack surface, he noted, mostly due to ActiveX and Java script. These expose every scriptable component on the entire operating system.
As Grossman sees it, the browser security situation is getting worse, because the Web has become the new battleground used by the bad guys seeking new sources of money. There is no need for attackers to go after the operating system anymore.
"The entrance is within the bowels of browsers. That's where the success is," he said.
Windows or Mac?
The old saw that Apple computers are not vulnerable to adware, spyware and viruses is pure bunk, said Mark Loveless, senior security researcher at security firm Network Access Control. "All browsers have problems -- period," he said.
He credits Microsoft with doing a better job lately with security patches, but he is quick to add that Microsoft has a long way to go to solve security problems.
"It still takes Microsoft too long to issue critical patches," Loveless said.
"Firefox has always moved quickly and posts complete information on its bugs and what the patches or upgrades fix. Often, Microsoft issues silent patches so users do not know what is going on," he complained.
Apple, on the other hand, arrogantly says that its Safari browser is secure and that no one bothers them, Loveless said, but now hackers are starting to build attacks against it.
"Safari is made vulnerable for the same reasons as any Windows browser. Safari uses common pieces of Apple code," he pointed out, "so hackers have a common pool of code to attack. Until now, hackers have gone where the most users are -- Windows computers. That is now starting to change."
No Silver Bullet
The browser security situation is pretty much hopeless today, in Gruper's view.
"There is no chance of fixing it for the consumer. The only option is for software developers to augment security by third-party programs that will limit exposure," he concluded.
To fix browser threats, the industry needs a concerted effort to redefine operating boundaries for software running on a computer, Lawson concurred. He sees Vista as a good step forward.
"Application authors need to do more security in their own program code. They have to define restrictions and privileges," he urged.
The old saw that Apple computers are not vulnerable to adware, spyware and viruses is pure bunk, said Mark Loveless, senior security researcher at security firm Network Access Control.
The Clueless interviewing the clueless.
This article reads like FUD...
If you want on or off the Mac Ping List, Freepmail me.
OK - I'll bite. When Mr. Mark Clueless demonstrates ONE - just one - adware/spyware/or virus that my PowerMac or iBook can be "infected" with, I will be more than happy to back him up. I'm waiting....
This FUD brought to you by _________ ________ (fill in the blanks)
""The entrance is within the bowels of browsers. That's where the success is," [Grossman] said."
And Mark Loveless's opinion belongs at the discharge point...
Im glad that Mac users have weathered the storm so far, but to quote a my favorite book Pride goeth before destruction, and a haughty spirit before a fall, Proverbs 16:18.
Your turn will come, just a matter of time (I personally hope it never happens as my next puter will be a Mac.).
Well, so much for that theory. I am an Mac user, Safari of course, and just had a major hit of identity theft via the computer. Epassporte.com has my money and they do not cooperate at all with your bank, the law enforcement agencies, no one! BEWARE !
Oh I am sure some sophisticated phishing attack might get a few Mac users, but all of the normal methods, buffer overflow, root level access, tightly integrated systems exploits, simply aren't there for Mac hackers to exploit.
I am getting back into programming on the Mac and the first thing I do for fun is to try and figure out how to exploit the machine to get the most out of it. So far the best I can come up with is some scripting code in Python because it is interpretive. Or simply code something nasty with a legitimate program that I can back door. But Microsoft already does that don't they?
I was talking to a Microsoft security programmer the other day and his biggest complaint was that the hackers use the security releases to figure out how to hack the system so that people that don't upgrade are then vulnerable. He thinks that the 'fixes' often cause more problems than they solve, a two edged sword.
He also said that for Vista, Microsoft doesn't plan to offer any security patches, they think it will be perfect out the door. Interesting huh.
Im not a conspiracy buff by any means, but sometimes I feel that Microsoft is doing this or purpose. Each version of Windows is supposed to eliminate all these intrusion problems, yet they either still exist or new problems crop up.
Microsoft has a gazillion programmers and a gazillion dollars and they cant come up with a piece of software that cant be penetrated by amateur hackers????!!! As Yoda would say, a break give me.
if you want your computer to be 100% secure then unplug it and turn it off.
Would you settle for secure enough? Echo. Until you or anyone else can demonstrate that they can hack my computer I am not going to worry about my computers security.
On the other hand, it has been demonstrated countless times that you window's users can be very easily hacked. If you doubt me I can send you an e-mail that will make my point, all you have to do is be running XP and open the attachment with Outlook :^) Or if you prefer I could direct you to a couple of websites that will do more subtle things to your computer.
If you send me an email I will open any attachment. Do you want to see who crashes who first? This could be fun.
John Doe and Joe Blow are about the same in terms of vulnerability to poison. The only distinction is that Joe does not pick and eat any old wild mushroom he comes across.
Do you mean why "doesn't" the govt? Because it is easier to write programs for Windows than it is for the Mac? The only reason for owning a windows computer is because you use a program or programs that are only available on windows.
Apple made a big mistake back in the early years when it was the hot computer. They charged a lot of money for a development system (software and support) for a platform that was harder to program on than DOS. Microsoft was smarter, they gave it away for free and offered free support too.
Finally Apple now gives it away for free (since about 2001 or so I think), but they are playing catch up, big time. Now for the first time it is actually getting slightly easier to program Mac's than it is to program Windows.
After the US Army's website running on Windows NT was hacked by a teenager and defaced, they switched to Macintosh xServes running OS X Server.
Despite the fact that the Army website is the target of hundreds of attacks every day, not one has succeeded since the switch to Mac systems in 1999. And uptime for the site is running at 99.995 percent.
Says the officer in charge who made the switch to Macs:
I wanted high-speed systems that could handle any application we needed, keep the site available 24 hours a day, not be vulnerable to every passing virus, and fend off hackers without my staff having to spend all their time applying security patches .Other comments on the US Army's choice of Apple Macintosh computers for their website:
Mark H. Wiggins, Lt. Col., U.S. Army, Ret. Former director, www.army.mil
The host Xserve and its backup are tied to an Xserve RAID storage system. Although the facility where www.army.mil resides already had a 200TB storage array, IT managers decided to go with Xserve RAID for the website because of its lower hardware and support costs. The bang for the buck with Xserve RAID is fantastic, site manager Cerniuk says. And the performance is just outstanding.
How many IT people does it take to run www.army.mil and its associated systems? Thanks to the simplicity and reliability of Xserve and Mac OS X Server, Cerniuks team consists of only three people including himself. As he notes proudly, We have a small group thats managing one of the largest sites in the world.
And the switch to Apple solutions brought another benefit. When we moved to a Mac OS based system, we were able to focus less of our energy on security. Now, instead of spending their time installing patches, Cerniuks staff is free to explore ways to make the site even more valuable to the Army community. In addition, the Mac systems are part of an overall multiplatform strategy that Cerniuk considers vitally important for any organization. If you only have one type of system, you can be taken down by a single virus. Our diversity gives the Army better security.
With the proven success of Mac systems at www.army.mil, Cerniuk often gets calls from other government webmasters considering a switch. What does he tell them? Contact Apple, test it, and then deploy it. And how has that advice been received? Weve converted some very staunch Windows folks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.