As 2009 draws to a close, one thing has become clear: The most dangerous piece of software on your PC isn’t a banking Trojan or a bot; it’s your Web browser.
The Web browser has become the main focal point of attackers’ attention and the frequency with which new vulnerabilities are found in all of the popular browsers is making their work considerably easier than it should be. This is not a vendor-specific problem, as it applies to both Windows machines and Macs, and affects Internet Explorer, Firefox and Safari. And although most of the browsers have improved in terms of security in the last couple of years, the attacks on these applications continue to grow both in scope and sophistication.
It’s gotten to the point that getting owned is now a one-step process: open your browser.
This year has seen the emergence and evolution of a number of browser-based attacks that make the old viruses and network worms look quaint by comparison. Consider what might be the biggest threat to emerge in 2009: mass SQL injection attacks against legitimate Web sites. Attackers are using sophisticated pieces of malware such as Gumblar, Nine Ball, Zeus and others to perform automated SQL injection attacks on thousands upon thousands of sites, compromising their front-end Web applications and loading malware onto their back-end servers. Then, as visitors browse the sites, the malware attempts to exploit various vulnerabilities in their browsers, trying different exploits until one is successful.
These campaigns have been incredibly successful. Gumblar, for example, has been active for most of the year and is continuing to grow, both in terms of the number of sites it has infected and the number of servers it has redirecting victims to the hosts serving exploits. And in many cases, the operators of the sites have no idea that they’ve been compromised. The term epidemic is not too strong for what’s going on with these attacks.
The SQL injection campaigns are just one piece of this increasingly worrisome picture. Another piece is the rise in the number of vulnerabilities discovered in browser add-ons and plug-ins and the consequent increase in attacks against those applications. Browser components such as Apple Quick Time and Adobe Flash have become prime targets for attackers who know that virtually every user has these technologies in their browser and a relatively small number of them bother to keep the applications patched.
Many users assume that installing the regular patches from Mozilla, Microsoft or Apple for the browsers keeps them safe online. Unfortunately, that’s not even remotely true. Adobe has begun its own quarterly patch update program, a reflection of the growing number of attacks on their applications. The latest version of Adobe Flash Player has been patched three times so far this year, but users who don’t automatically receive Adobe updates might not have any clue that they need to patch Flash or Reader, or any other browser component, for that matter.
If those threats aren’t enough to make you want to stop reading this and shut down your computer immediately, consider some of the research being done by people such as Robert Hansen on advanced browser-based attacks. Hansen is well known for his research on somewhat arcane attacks, and his latest work on DNS rebinding attacks is a perfect example. Here’s just one attack that Hansen has developed to take advantage of the way that browsers handle DNS time-to-live responses and caching.
A lot of people still don’t get that you don’t need to know people’s usernames and/or passwords to get into their accounts. If you can get (or guess) the credential, that’s good enough. What if the credential were a weak cookie like username=bob or id=1234567? It might be extremely trivial to use DNS rebinding to not only get access to read the login page and perform a traditional brute force attack, but if the format of the credential is known (like in a lot of open source projects) it may be easy to brute force that token. So yes, by getting DNS rebinding and by utilizing brute force you can then fix their session to whatever account you just broke into.
And Hansen is one of the good guys. If he’s thinking about these attack vectors, you can bet that the bad guys, who make their living this way, are too. Those and more.