Client-side browser vulnerabilities, the ones that require the browser software on your computer to make a request to a web site hosting a malicious web page, are on a sharp rise. Sophos reports:
From January to the end of March, Sophos identified an average of 5,000 new infected webpages every day, indicating that this route to infection is becoming more popular with cybercriminals.
Not all of the infected websites were created by the hackers themselves. Sophos has found that the majority, 70 percent, were bonafide websites that were vulnerable to attack because they were unpatched, poorly coded or had not been maintained by their owners.
This means there are 3500 newly infected web pages a day that are on bonafide websites. Couple this with the fact that there are browser vulnerabilities where no patch is available that effect most users and you have to say the bad guys really are winning.
Understanding the attack scenario
It takes two to tango in this devastating exploit scenario. An attacker needs to find a vulnerable website and he needs to craft a browser exploit to plant on it. But the beauty of this attack from the attackers perspective is it is opportunistic and the odds are in his favor. Here are the ingredients:
The attacker just needs one ingredient from each set, 1-4, and he can compromise a client machine that visits the bonafide websites. Unless one of the ingredients above is completely eliminated the opportunistic nature of this attack makes it clear that there is always going to be a certain percentage of compromised machines.
So which is the best set above to eliminate? Number 1 doesn't seem like an easy target since there are many web servers and thousands of web applications, including custom web applications. Number 2 isn't a good plan because attackers could just host their own fake web site, which while not as dangerous is still a significant attack vector. Number 3 looks like a good set to eliminate. Even though browsers are very complex there is still only a handful of them which makes the code that needs to be secure reasonable. Number 4 doesn't solve the zero day problem or the problem where a patch hasn't been released by the vendor yet.
Attacking the root cause
We need to get on to solving number 3 in earnest. Vendors who supply browsers or plug-ins that extend browsers such as Apple Quicktime need to do a much better job of software security. You guys are the weak link in the chain for client systems. If client computers can be compromised, the internet security foundation crumbles.
There is some good news. We don't need to find every browser or browser plug-in vulnerability, just the ones that allow code to be downloaded and executed on the client. This is a big category but it is limited. If you look at MITRE's CWE there is only a certain set of root causes that have the consequence of remote command execution:
There are certainly more vulnerabilities that are specific to the designs of the browsers or plugins but this is a good start. Eliminate these and the bar has been significantly raised.
Apple, Mozilla, Microsoft, Opera and all the plug-in vendors, the client side browser vulnerability crisis is yours to solve. We need significantly less remote code execution vulnerabilities in your code.