CounterMeasures - A Security Blog � Updates & Patches

Which browser is the most secure, is that the question?

Rik Ferguson — Wed, 10 Mar 2010 17:20:02 +0000

Over the past week I have been asked twice now for my opinion on the question “Which browser is the most secure?” Probably as a result of the release of Microsoft’s “Browser Choice” update. In my view, this choice that people are being prompted to make is leading most of us to ask the wrong question entirely. Your browser will not keep you safe, whoever made it, you need to take steps to keep *yourself* safe, whichever browser you choose.

Image: J. Anderson

This update no doubt exposes millions of users to a choice which they may not, in many cases, have even been aware they were able to make; the choice of which application to use when browsing the web. Many alternatives are available when making this important choice; Internet Explorer (natch), Mozilla Firefox, Safari, Opera, Google Chrome and seven others are on offer through the Microsoft pop-up.

Rightly security is many folks’ primary concern when browsing online these days, so they want to know which browser is the safest or will offer them the highest personal security. I’m not convinced though that “Which browser is the most secure?” is really the right question.

Every browser has its flaws, vulnerabilities and patches (or lack of them). In any case attacks are increasingly aimed not only at browsers but at application plug-ins like QuickTime, Flash or Acrobat that can be used in multiple different flavours of browser. Either that or they are simply attacks aimed at the individual using the browser (like phishing, pretexting and other social engineering attacks).

Better (and more useful) advice than “Which browser is most secure?” would be “How can I best secure my browser of choice?” Trend Micro offers free tools such as Browser Guard and the Web Protection Add On for Internet Explorer. Browser Guard detects and blocks popularly used exploit techniques (such as heap spray and buffer overflow as well as looking for shellcode) offering proactive protection against unknown threats. The Web protection Add-On blocksknown malicious sites. Many other tools and plug-ins for many other browsers are also out there such as AdBlock Plus or NoScript for Firefox just for example.

It’s different strokes for different folks and various security tools or techniques require varying degrees of familiarity with the browser, with technology or with threats in general in order to effectively protect you without ruining your Internet experience beyond redemption. Helpfully, different indpendent tests and opinions will give you conflicting advice, of course.

In most cases the best advice is stick with the browser you are most familiar with but take steps to secure it. If you suddenly jump into using a browser with which you are unfamiliar, just as a simple knee-jerk reaction your unfamiliarity may leave you less secure than you were before the change.

Google, China, Chicken Little and Cyber Armageddon.

Rik Ferguson — Tue, 19 Jan 2010 14:00:10 +0000

Foxy Loxy by Gustaf Tenggren

In the wake of the highly publicised “highly sophisticated and targeted” attacks on Google, at least three major governments have issued advisories urging their citizens to switch browsers away from Microsoft Internet Explorer. A well-known security company has redesigned their web sites to include a large ominous “Operation Aurora” graphic (that links to trial downloads of pre-existing software). The attacks have been described as “changing the world” by the CTO of that same security company and as “something quite different” by Google.

How much of this is real, justified and proportionate?

So what do we know so far? Well according to Google “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google“. They go on to say “As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses–including the Internet, finance, technology, media and chemical sectors–have been similarly targeted. We are currently in the process of notifying those companies“.

Subsequent external conjecture, comment and analysis has blamed unpatched vulnerabilities in Internet Explorer and also in Acrobat Reader, the malware involved has been identified both as variants of the Hydraq Trojan and also as new malware, dubbed by McAfee as Roarur.dr and as TROJ_PIDIEF.SHK. The attack vectors have been identified as mail with malicious PDF attachments and drive-by downloads.

Google, who were hit by the zero-day vulnerability in Internet Explorer, state that at least 20 other companies were victimised, and iDefense who have customers who were hit by the zero-day vulnerability in Acrobat Reader state that 33 companies were affected.

The motivation for the attack has been described both as an attempt to steal intellectual property and also as an attempt to breach the security of email accounts belonging to Chinese human rights activists. The attacks “appear to have been launched from at least six Internet addresses located in Taiwan” according to James Mulvenon, director of the Center for Intelligence Research and Analysis at Defense Group Inc

“Changing the world”? I say not.

The attacks are not the first to use zero-day vulnerabilities, in fact we have most often seen zero-day exploits being first used in targeted attacks before becoming more widely spread and widely abused.

The attacks are not the first to use drive-by download or malicious PDF attachments to achieve their goal.

The attacks are not the most complex multi-component system yet seen, you want complex, look at Koobface!

This is not the first time that warnings have been given to use alternative browsers until a patch becomes available.

This is not the first time that the finger has been pointed at China for a widespread globally distributed espionage attack.

There is no doubt that this attack, or these attacks are methodologically sophisticated. The bad guys were visibly successful at delivering their malicious payloads to the right people in the right companies to get access to things like source code and email accounts, but I don’t see anything here that changes the world.

Social engineering, lack of awareness of the threat landscape, a willingness to share too much information, the highly developed underground economy will all have contributed to the possibility and the success of these attacks.

What can companies and individuals do to try to avoid falling victim to these kinds of attack?

Educate yourselves and your users, clicking a link is enough, opening a PDF is enough to infect you, even on a fully patched system.

That being said make sure all applications and systems are fully patched, if that is not possible, use host-based intrusion prevention to “virtually patch” systems and to secure against zero-day exploits.

When an unpatched vulnerability is identified be sure to follow vendor advice to minimise the risk as soon as possible.

Encrypt valuable personal and intellectual property at file level, that way, even if it is stolen it is of limited value or use.

Consider the deployment of data leakage prevention technologies that will recognise and stop sensitive content from leaving your network.

Rethink your security model from an outside in approach, to an inside out one. Secure data, secure access rights, secure applications. Your perimeter only exists on a network diagram.

At the risk of repeating myself, educate your users not to share too much personal information regarding employers, job roles, contact details. Currently far too many targets are far too visible.

Don’t let Chicken Little run your security.

3 Top Issues in Information Security

Rik Ferguson — Tue, 16 Jun 2009 04:00:31 +0000

1 – Lack of awareness, both at a corporate level and at an end user level.

I am always banging on about a company’s most effective security tool being education, and it’s true. Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to make sure their users are educated to use the Internet and Internet resources from a position of awareness and caution rather than blind trust in a technological solution. People should be aware of how invisibly infections can occur and where to go if they are concerned they may be a victim.

Equally people need to be made aware of the real monetary value of their own and other people’s personal information and begin to treat it with the care it deserves, rather than offering it to any curious onlooker through social and professional networking, blogging, telephone calls, bogus surveys and more.

2 – Complacency, when it comes to losing data, either as a result of malware of “peopleware” many companies suffer from being complacent. This ties in very strongly to my first point of education. It is important, and in many cases legally or regulatorally (is that even a word?) necessary to protect the data for which you as a company are responsible. This data can fall into many categories Personally Identifiable Information (PII), Intellectual Property, corporate, state or nationally sensitive information, Financial results, login credentials, patient or customer information; the list is almost endless. Every company has their own corpus of data and the relevant obligation to protect that corpus from both inadvertent and malicious exposure and/or misuse.

Currently many companies are being too complacent in this area and are only prompted into action when a breach or a near-breach has occurred. Organisations need to be able to manage patch levels of all machines within their estate at a moment’s notice and also should be deploying host-based Intrusion Prevention technology in areas where patching is impractical or impossible. Additionally there is a responsibility to both employees and to customers to ensure that they have full visibility over how data is handled under their custodianship and this includes all the ad-hoc transfers that take place every day over services like email, HTTP, FTP, Instant Messaging, USB devices.

Is it OK for a medical secretary to email patient notes to a consultant’s hotmail address so the consultant can look at them over the weekend? Is OK for your software developer to take your source code home on a removable device? Is it alright that your payment processing machine is infected with data-stealing malware because you “didn’t have a window to install the OS patch”? I would imagine not, but until you proactively manage your hardware and software estate and also get a clear handle on the scheduled and ad-hoc movement of data you’re just waiting for the breach to happen while it may already have passed you by.

3 – No root cause analysis. Traditionally security solutions, whether at the perimeter, server or client have focussed on detection, blocking and/or cleaning up the results of malicious software infections but have not offered effective root-cause analysis. People need to know where the malware is coming from, was it a drive-by download, an infected USB drive, email, instant messaging or something else? It is not enough to say “Machine X was infected with malware Y but I cleaned up for you, no need to worry”. This may allow the company the comfort of knowing they got away with it this time (and I stress “may”, do you know how long the malware was there before it was detected?) but it does not give anyone the information they need to improve the security posture and lower the risk level of their business and prevent the same or similar infections from recurring. An intelligent security solution needs to monitor activity on a machine and have the ability to give detailed root-cause analysis even in the event of delayed detection of a zero-day exploit.

Foxit PDF Reader beats Adobe to the patch.

Rik Ferguson — Mon, 09 Mar 2009 20:30:27 +0000

The currently actively exploited PDF reader vulnerability that was reported over on the Malware Blog in February, has been causing some serious concerns for users.

Exploitation of the vulnerability, through deliberately malformed PDF documents, results in malicious files being dropped on the victim machine, including the Trojan TROJ_PIDIEF.IN.

The exploit was also unwittingly given a helping hand by Windows Explorer Shell Extensions, allowing the malicious code to be triggered even without the user opening the bad PDF, (a proof of concept was posted by Didier Stevens here).

Despite the security advice issued by US-CERT, the absence of a patch for the world’s most popular PDF software (Adobe Acrobat Reader) and the ubiquitousness of the vulnerability across applications and platforms from many vendors, meant that the best advice to date has simply been to use extreme caution in opening PDF files from unknown sources, or when clicking on links to PDFs in your internet browser.

Why do I bring this relatively old news up now? Well it looks like the good folk over at Foxit Software have beaten Adobe to the punch with a patch to remedy this vulnerability in thier own Foxit Reader. The patch for version 9 of Adobe Acrobat Reader is still anticipated on March 11th, with patches for versions 7 & 8 due one week later.

UPDATE: Adobe have released their Acrobat Reader patch a day ahead of schedule, available here.

Patch Tuesday is a-comin’

Rik Ferguson — Thu, 05 Mar 2009 20:32:16 +0000

So the advance notification for the forthcoming Microsoft “Patch Tuesday” crop has been released; 1 Critical and 2 Important bulletins. That means one that allows remote code execution and two that may lead to compromise of data or resources through spoofing attacks, affecting all currently supported versions of Microsoft Windows

The package will not include a fix for the Excel vulnerability that is currently being exploited, so I would encourage you to read the Microsoft Security Advisory and take note of the mitigation advice.

It’s worth noting that, according to beyondtrust, 92% of critical Microsoft vulnerabilities are mitigated by eliminating Admin rights