Product Code Database
Browser security is the application of Internet security to in order to protect computer network data and from breaches of privacy or malware. Security exploits of web browser often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities (security holes) that are commonly exploited in all web browser.
Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else). If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited). Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network.
Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as , Clickjacking, Likejacking (where Facebook's like button is targeted), , or Flash cookies (Local Shared Objects or LSOs); installing adware, Computer virus, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.
In depth study of vulnerabilities in Chromium web-browser indicates that, Improper Input Validation (CWE-20) and Improper Access Control (CWE-284) are the most occurring root causes for security vulnerabilities. (2017). 9781509057290 ISBN 9781509057290 Furthermore, among vulnerabilities examined at the time of this study, 106 vulnerabilities occurred in Chromium because of reusing or importing vulnerable versions of third party libraries.
Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated, but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit. Some subcomponents of browsers such as scripting, add-ons, and cookies are particularly vulnerable ("the confused deputy problem") and also need to be addressed.
Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can keystroke logger while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers.
Browsers can use more secure methods of network communication to help prevent some of these attacks:
Perimeter defenses, typically through firewalls and the use of filtering that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.
The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project, creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities.
Charlie Miller recommended "not to install Flash" at the computer security conference CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it.
An un-compromised browser guarantees that the address bar is correct. This guarantee is one reason why browsers will generally display a warning when entering fullscreen mode, on top of where the address bar would normally be, so that a fullscreen website cannot make a fake browser user interface with a fake address bar.
Internet Explorer 4 and later allows the blocklisting and allowlisting of ActiveX controls, add-ons and browser extensions in various ways.
Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control. Google Chrome provides a sandbox to limit web page access to the operating system.
Suspected malware sites reported to Google, and confirmed by Google, are flagged as hosting malware in certain browsers.
There are third-party extensions and plugins available to harden even the latest browsers, and some for older browsers and operating systems. Whitelist-based software such as NoScript can block JavaScript and Adobe Flash which is used for most attacks on privacy, allowing users to choose only sites they know are safe – AdBlock Plus also uses whitelist ad filtering rules subscriptions, though both the software itself and the filtering list maintainers have come under controversy for by-default allowing some sites to pass the pre-set filters. The US-CERT recommends to block Adobe Flash using NoScript.
|
|
