Broken Web Browsers: Malware’s New Address?
Malware has a new address: Web browsers. This is not the first time malicious code has set up shop in popular access tools such as Microsoft Internet Explorer and Google Chrome, but according to new research from the Ponemon Institute detailed in a recent Infosecurity Magazine article, browser vulnerabilities are on the rise. What can companies do to keep corporate data safe and prevent employees from accidentally compromising secure networks using broken Web browsers?
According to the report, more than 75 percent of enterprises have been infiltrated with malware via broken Web browsers, with the average cost of such a breach ringing in at $62,000. Despite implementing multilayer, in-depth security controls, most organizations had more than 50 breaches in the past year. In fact, 69 percent of IT security professionals surveyed said browser-borne malware is a greater threat now than it was 12 months ago. Even worse, 81 percent say insecure browsers are the primary attack vector for malware, with 74 percent claiming “traditional” detection technologies can no longer effectively stop these types of attacks. In addition, just 31 percent agree commercial browsers have the same kind of built-in security controls necessary to stop these kinds of attacks.
Dark Reading, meanwhile, points to several factors in the spread of browser malware. First, companies are bogged down by the problem of psychological “inertia,” with 65 percent of security professionals saying it’s hard to shake their dependence on traditional security controls even when they prove ineffective. Additionally, many enterprises are still convinced browser makers have the best line on security and, with enough time, big-name brands will patch their most important malware holes. Is this just wishful thinking, however?
Real-World Concerns With Broken Web Browsers
Out in the wild of the World Wide Web, browsers are continually undergoing security upgrades. According to Threatpost, for example, Google’s Chrome 40 update recently patched 62 vulnerabilities in the browser, 17 of which were considered “high-severity” by the search giant. Most were memory corruptions or use-after-free vulnerabilities in components such as ICU, V8 or FFmpeg. In addition to internal fixes, the Google team also paid tens of thousands of dollars in bounties to freelance security researchers; one scored more than $12,000 for identifying three bugs. While this focus on security is admirable, it raises an important point: Despite Chrome’s widespread use and long history, bugs are still being discovered, some of which pose real risk to enterprises. Is bounty hunting enough to stop the threat?
Also worth mentioning is the recent universal cross-scripting vulnerability discovered in Internet Explorer. As noted by PCWorld, the weakness lets malicious attackers bypass the same-origin policy, which should prevent code used by one website and loaded in an iframe on a different website from affecting the first site’s content. However, this new vulnerability allows a phishing attack that takes the form of a legitimate-looking link on an authentic Web page. When clicked, a rogue page is opened, but because the same-origin policy is bypassed, the browser’s address bar continues to show the legitimate Web page address. For example, in the context of a banking site, this means users could be redirected to malware-laden pages but have no idea because the Web address would never change.
Underneath It All
The bottom line is that all Web browsers are broken Web browsers to some degree, depending on their patch cycle and current suite of discovered vulnerabilities. According to ReadWrite, there may be a common cause: laziness. It argues that Web developers have become lazy with their code when it comes to application development, but the same also applies to Web browsers. In large measure, this laziness comes as an honest reaction to consumer demand. Access trumps evaluation, and speed trumps security. The result, however, is a market of commercial Web browsers unable to handle advanced malware threats, putting corporate users at risk.
Managing browser security requires a twofold approach. First, enterprises must be willing to give up traditional methods of protection in favor of advanced endpoint security that acts in real time to detect malicious code or suspicious behavior. Gone are the days of catchall firewalls and zero-day patches. Second, organizations must shed the notion that browsers are the first line of security or form the basis of any secure defense. It is better to assume a breach is imminent, happening or has just occurred rather than be surprised by newly discovered, damaging vulnerabilities.
Browser malware is on the rise and is here to stay. Combating the problem requires a change of address — security needs a new home.