Client-side browser vulnerabilities, the ones that require the browser software on your computer to make a request to a web site hosting a malicious web page, are on a sharp rise. Sophos reports:
From January to the end of March, Sophos identified an average of 5,000 new infected webpages every day, indicating that this route to infection is becoming more popular with cybercriminals.
Not all of the infected websites were created by the hackers themselves. Sophos has found that the majority, 70 percent, were bonafide websites that were vulnerable to attack because they were unpatched, poorly coded or had not been maintained by their owners.
This means there are 3500 newly infected web pages a day that are on bonafide websites. Couple this with the fact that there are browser vulnerabilities where no patch is available that effect most users and you have to say the bad guys really are winning.
Understanding the attack scenario
It takes two to tango in this devastating exploit scenario. An attacker needs to find a vulnerable website and he needs to craft a browser exploit to plant on it. But the beauty of this attack from the attackers perspective is it is opportunistic and the odds are in his favor. Here are the ingredients:
- the set of website vulnerabilities that allows modification of content
- the set of bonafide websites unpatched for the modification vulnerabilities
- the set of browser flaws that allow attackers to execute code
- the set of browsers unpatched for the code execution vulnerabilities
The attacker just needs one ingredient from each set, 1-4, and he can compromise a client machine that visits the bonafide websites. Unless one of the ingredients above is completely eliminated the opportunistic nature of this attack makes it clear that there is always going to be a certain percentage of compromised machines.
So which is the best set above to eliminate? Number 1 doesn’t seem like an easy target since there are many web servers and thousands of web applications, including custom web applications. Number 2 isn’t a good plan because attackers could just host their own fake web site, which while not as dangerous is still a significant attack vector. Number 3 looks like a good set to eliminate. Even though browsers are very complex there is still only a handful of them which makes the code that needs to be secure reasonable. Number 4 doesn’t solve the zero day problem or the problem where a patch hasn’t been released by the vendor yet.
Attacking the root cause
We need to get on to solving number 3 in earnest. Vendors who supply browsers or plug-ins that extend browsers such as Apple Quicktime need to do a much better job of software security. You guys are the weak link in the chain for client systems. If client computers can be compromised, the internet security foundation crumbles.
There is some good news. We don’t need to find every browser or browser plug-in vulnerability, just the ones that allow code to be downloaded and executed on the client. This is a big category but it is limited. If you look at MITRE’s CWE there is only a certain set of root causes that have the consequence of remote command execution:
- CWE ID 77 Command Injection
- CWE ID 79 Cross-site scripting (XSS)
- CWE ID 88 Argument Injection or Modification
- CWE ID 121 Stack Overflow
- CWE ID 122 Heap overflow
- CWE ID 123 Write-what-where condition
- CWE ID 124 Boundary beginning violation (‘buffer underwrite’)
- CWE ID 128 Wrap-around error
- CWE ID 129 Unchecked array indexing
- CWE ID 132 Miscalculated null termination
- CWE ID 134 Format string vulnerability
- CWE ID 170 Improper Null Termination
- CWE ID 190 Integer overflow (wrap or wraparound)
- CWE ID 192 Integer coercion error
- CWE ID 196 Unsigned to signed conversion error
- CWE ID 252 Unchecked Return Value
- CWE ID 364 Signal handler race condition
- CWE ID 415 Double Free
- CWE ID 416 Use After Free
- CWE ID 426 Untrusted Search Path
- CWE ID 469 Improper pointer subtraction
- CWE ID 479 Unsafe function call from a signal handler
- CWE ID 590 Improperly Freeing Heap Memory
There are certainly more vulnerabilities that are specific to the designs of the browsers or plugins but this is a good start. Eliminate these and the bar has been significantly raised.
Apple, Mozilla, Microsoft, Opera and all the plug-in vendors, the client side browser vulnerability crisis is yours to solve. We need significantly less remote code execution vulnerabilities in your code.
Written by: Chris Wysopal