Are Browsers the Weakest Link of the Security Chain?
The number of cyber attacks is constantly increasing, and according to security experts they grow even more sophisticated. The security firm Secunia has recently released its annual study of trends in software vulnerabilities, an interesting report that highlights the impact of the presence of flaws in common software and provides useful details on the way bad actors exploit them. According to data provided by Secunia, the number of Web browser vulnerabilities and zero-day exploited by hackers worldwide in 2014 has increased in a significant way.
The report provides an interesting picture of the current level of security for the principal browsers (Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari). The data provided by Secunia show that there were 1,035 vulnerabilities in these popular software in 2014, compared to 728 in 2013. The data are alarming considering that the percentage of increase is 42% and that the majority of the flaws discovered in the principal browsers were rated as ‘Highly Critical’.
Secunia ranked a vulnerability as Highly Critical when its exploitation could allow an attacker to compromise the vulnerable system. In the majority of cases, successful exploitation of these flaws does not require any user interaction.
Figure 1 – Vulnerabilities in the five most popular browsers (Secunia)
The following chart shows the number of vulnerabilities by browser, as reported by Secunia. The experts also provided an analysis of the risk of exposure for the clients. The risk of exposure is calculated by multiplying the “Market share” of a specific browser for the percentage of “Unpatched” systems. Firefox, Chrome and Internet Explorer resulted in more exposure to risk of hacking.
Figure 2 – Distribution of vulnerabilities across the five most popular browsers (Secunia)
As usual, the principal problem resides in the way users manage their browsers. Unfortunately, one in three Mozilla Firefox and Opera users has neglected to apply a patch, even though a software update is available.
Figure 3 – Vulnerabilities In the five most popular browsers (Secunia)
The good news is that the patches are made available very quickly for vulnerabilities that were discovered in the browsers. This means that browser vendors are spending a great effort to secure their software and protect the users.
Hacking Browsers – Pwn2Own hacking contest
Data presented by the Secunia firm demonstrate the great interest of the hacking community that constantly targets these applications by exploiting well-known vulnerabilities or zero-day exploits. Is it so hard for a skilled hacker to compromise a browser? Which are most vulnerable software to surf the Internet?
Unfortunately, every browser could be compromised due to the presence of a vulnerability in its structure, and skilled hackers could easily exploit them, as happened during the recent Pwn2Own, one of the most popular hacking contests held in Vancouver.
During the latest edition of the contest, two researchers successfully hacked the four major browsers, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and Apple Safari.
The organization of the annual Pwn2Own hacking competition paid $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.
“With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000,” Pwn2Own organizers wrote in a blog post. “To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration.”
In particular, the Korean researcher Jung Hoon Lee earned $110,000 in just two minutes by using nearly 2000 lines of code to take down both stable and beta versions of Chrome by exploiting a buffer overflow race condition in the browser.
Figure 4 – Researchers successfully hacked the four major browsers at Pwn2Own hacking contest
In the same day, Lee also hacked a 64-bit version of IE 11 exploiting a time-of-check to time-of-use (TOCTOU) vulnerability. A TOCTOU flaw is a software bug caused by changes in a system between the checking of a condition (i.e. the value of a variable, a security credential) and the use of the results of that check.
The flaw exploited by the Korean expert is related to the interval between the time a file property is checked and the time the file is used, allowed the research a privilege escalation. Lee closed the day exploiting a use-after-free vulnerability to take down the Safari browser.
In just one day, Lee earned about $225,000 hacking the main browser. GREAT JOB!
Lee isn’t the only expert that demonstrated the vulnerability of principal browsers. A researcher operating under the pseudonym ilxu1a hacked the Mozilla browser. The researchers discovered an out-of-bounds read/write vulnerability through static analysis, and by exploiting it he obtained a medium-integrity code execution. The same exploit did not work for Chrome.
In the following list are reported the bugs discovered in the principal browsers during the Pwn2Own hacking competition hosted by HP’s Zero Day Initiative and Google’s Project Zero:
- Microsoft Windows: 5 bugs
- Microsoft IE 11: 4 bugs
- Mozilla Firefox: 3 bugs
- Adobe Reader: 3 bugs
- Adobe Flash: 3 bugs
- Apple Safari: 2 bugs
- Google Chrome: 1 bug
Browser vulnerabilities and attack scenarios
Web browsers are a privileged target for attackers because these applications manage an impressive amount of information from financial data to personal information.
Which are the top vulnerabilities exploited by attackers in their attacks against web browsers?
We must distinguish browser vulnerabilities from website vulnerabilities (i.e. XSS, CSRF). In this section, we will address the first group of flaws.
Speaking of the browser security mechanism, readers will find in numerous contexts the concept of Same Origin Policy, also known as SOP.
The same origin policy is the most important concept in the current approach to web application security.
The term “origin” is defined as the combination of URI scheme, hostname, and port number, and according to a specific policy, a browser software allows scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. This policy is essential to avoid a malicious code from being executed in one page to obtain access to sensitive data on another web page through that page’s Document Object Model (DOM).The same origin policy is crucial in modern browsers, especially when data managed by the pages are used by the authentication mechanism implemented by web services (e.g. authentication cookies, session tokens).
In many cases, the attackers target the same-origin policy to steal sensitive data and bypass authentication mechanisms implemented by many websites, independently from the various SOP implementations (e.g. Adobe Reader/Flash, Java and Silverlight).
In December 2014, security experts at Trend Micro discovered a series of hacking attacks targeting Facebook users and exploiting the Same Origin Policy vulnerability.
The Android Same Origin Policy (SOP) vulnerability (CVE-2014-6041) was first disclosed in September 2014 by the security expert Rafay Baloch, which noticed that the AOSP (Android Open Source Platform) browser installed on Android 4.2.1 was vulnerable to the Same Origin Policy (SOP) vulnerability that allows one website to steal data from another.
According to security experts at Trend Micro and Facebook, many users of the popular social network have been targeted by cyber attacks that attempt to exploit the Same Origin Policy (SOP) vulnerability. The most worrying aspect of the attacks is the simplicity to run them due to the availability of a Metasploit exploit code to automate them.
Code execution exploits are among the most common types of flaws exploited by attackers that typically search for a vulnerability in the browser itself or in a plugin it uses.
The exploitation of a flaw in one of the above components could give the attacker the possibility to control the host machine downloading malicious payloads and exfiltrating data. Contrary to what many people believe, the attacker has multiple attack vectors to exploit this kind of flaw. Threat actors in fact can compromise a legitimate site, can compromise advertising networks or can simply run a malicious phishing campaign to share links to a compromised website hosting the exploit kits.
Fortunately, this kind of flaw is usually patched rapidly by browser vendors. For this reason it is crucial to update the browser and the OS in order to limit the window of exposure to cyber attacks. Another common way to hack browsers is to run code execution exploits in plugins. Almost every plugin used by principal browsers has been found to have vulnerabilities exploited in cyber attacks in the wild. Let’s consider for example the numerous attacks that targeted Java, Flash and Silverlight components of the browsers.
Plugin are usually used to improve capabilities of browsers and implement supplementary features, but these precious components are made by software that could be affected by flaw.
Plugins are usually targeted by hackers for drive-by downloads attacks and traffic hijacking. In the first case, the attackers force the download and the execution of malicious code on the targeted system exploiting the plugin. In the second attack scenario, the traffic of victims is redirected to a host controlled by attackers that use them for malicious purposes, like malware spreading.
Like browser exploits, vulnerabilities affecting plugins are very insidious. Despite that vendors often provide software in a short time, it is quite easy to find browsers in the wild that use an outdated version of browser plugins. To protect browsers from this type of attack, it is fundamental to keep updated not only the browser software, but also any other plugin it uses.
Plugins aren’t the only components of browsers. Hackers could also target browser extensions because they always run in a privileged context. For this reason, the exploitation of a flawed extension or the installation of malicious extensions could allow attackers to gain control over the victim’s machine.
The last category of attacks I desire to introduce targets browser functions by exploiting security vulnerabilities in web applications.
In this case, the attackers abuse existing functionality of the web browser software to subvert the system. This type of attack includes launching traditional web application attacks from the hooked browser. The attack became with this approach the entry point for the internal network.
This category of attack is still effective even if threat actors don’t bypass the SOP mechanism because they can still send cross-origin requests without generating a preflight request and can exploit various kinds of vulnerabilities, such as cross-site request forgery flaws and arbitrary code execution flaws, and run denial of service attacks.
Also very common are attacks that target the user interface of browsers, also known as UI redress attacks. The most popular are Cursorjacking, Clickjacking, and Filejacking.
Clickjacking for example is an attack method that tricks a user into clicking on something different from what he perceives he is clicking on. The practice can be exploited to take complete control of a machine or simply to access sensitive data.
Among principal threats to modern browsers, we cannot forget malware, in particular those malicious codes that implement an attack technique known as Man-in-the-browser.
In a Man-in-the-browser attack schema, the attackers use malicious code to infect victims’ client components such as the browser. Usually MITB appears in the form of BHO (Browser Helper Object)/Active-X Controls/Browser Extension/Add-on/Plugin/ API – Hooking. A Man-in-the-browser attack relies on the presence on the victim machine of a proxy malware that infects the user’s browser exploiting its vulnerabilities. The malware has the ability to modify transaction content or conduct operations for the victims in a completely covert fashion. The malware is usually able to hide its transactions to the client by altering the content proposed by the browser.
Figure 5 – Man-in-the-browser
The malicious code used for Man-in-the-browser attacks is able to bypass multi-factor authentication. In an attack against an online banking service, the malicious code is able to wait for the transactions and modify its content on the fly. By implementing injection mechanisms, the attacker is also able to hide the presence of the malware and its operations, providing evidence of the success of the user’s transaction, altering the content displayed by the browsers once executed.
In this quick tour on browser security, I have introduced the fundamental concepts of browser hacking. Hackers can target numerous components of these powerful software that manage the majority of sensitive data passed from our PC. Recent trends demonstrate that mobile platforms, and consequently their browser applications, are the most targeted architectures.
Unfortunately, as confirmed by data proposed by the study conducted by Secunia security firm, the number of vulnerabilities discovered in most important browsers is increasing, and hackers are targeting these components even more. The good news is that vendors are very responsive in addressing the flaws in their products, limiting the exposure of the users.