Tag Archives: Internet Explorer

What is the Most Secure Web Browser?

23 September 2018

For some weeks now I am busy with patch strategy and vulnerability management. When new critical vulnerabilities shows up two questions must be addressed:

  1. How fast must we patch the vulnerable systems?
  2. What vulnerabilities must be patched with highest priority? Or mitigated, if a patch is not available in due time.

Speed is the key in cyber security. The faster we find and patch vulnerable systems the greater is the chance that cyber criminals cannot exploit the vulnerabilities.

The exploit is the weapon in cyber warfare. A vulnerability as such increases the potential risk only. Once an exploit is published that can leverage the vulnerability, the vulnerability becomes a real risk. And if the exploit is “in the wild”, i.e. if the exploit is actively used by cyber criminals for attacks, the IT organization is on red alert.

Unfortunately, no one knows when an exploit spreads in the wild. Therefore, the cautious answer to the above questions is:

“The moment an exploit for a critical vulnerability is published it must be patched directly, at least on critical systems. If a patch is not available proper protective measures must be applied to mitigate the risk effectively.”

Browsers are the most critical systems because they are used in a hostile environment. Browsers are very complex applications, thus prone of errors.  Between 2013 and 2017 about 11% of 40671 vulnerabilities in total were found in the 4 major browsers Chrome, Firefox, Internet Explorer and Edge.

Market Share Browsers 2013 - 2017

Market Share Browsers 2013 – 2017. Data source: StatCounter

Browser Vulnerabilities 2013 - 2017

Browser Vulnerabilities 2013 – 2017

It remarkable to see that 67% of all browser vulnerabilities are related to IE, Edge and Firefox although they have only a small market share (11% in 2017).

Exploit publication date relative to CVE publication date

Exploit publication date relative to CVE publication date 2013 – 2017

The graphic above shows the number of exploits that are published within one month before the CVE is published compared to the number of exploits published within one month after the CVE is published.

Except for Chrome and Firefox the majority of exploits is published after the vulnerability is published. Nevertheless, we have to patch immediately on publication of a CVE.

How many exploits spread in the wild? This question is hard to answer. The Symantec attack signatures give a useful indication. “An attack signature is a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability.” 

Exploits in the Wild 2013 - 2017

Exploits in the Wild 2013 – 2017

This is an amazing result, isn’t it.

Have a great week!

Data sources

  1. NIST. NVD Database. https://nvd.nist.gov/
  2. Offensive Security. Exploit Database. https://www.exploit-db.com
  3. Andrea Fioraldi. CVE Searchsploit.
    https://github.com/andreafioraldi/cve_searchsploit/tree/master/cve_searchsploit
  4. NIST. EXPLOIT-DB Reference Map. http://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html
  5. Symantec.com. Attack Signatures.  https://www.symantec.com/security_response/attacksignatures/

Marco viruses on the rise – The Sleeping Beauty slumber is over

28 February 2015

For some month reports about macro viruses are constantly appearing in the IT press. Although the latest report, ‘Macro viruses reemerge in Word, Excel files’, published by Michael Heller on the TechTarget platform SearchSecurity at 24 February 2015, could make us feel somewhat insecure, there is in my opinion no reason to panic.

From the statistics created by security firm Kaspersky, we see that attackers used Microsoft Office in 1% of all cases for the distribution of exploits in 2014. In total Kaspersky products detected and neutralized 6.167,233,068 cyber-attacks in 2014. This means that Word or Excel were used in 61,763,330 cyber-attacks, 2.3 times more than in 2013.

Sounds anything but dangerous. Moreover, we are better prepared than 15 years ago, when macro viruses were most popular. Many protection measures are common sense, but sometimes it’s good to recap.

With that, I suggest:

  1. Please make sure that your anti-malware program is always up-to-date.
  2. Configure Macro Settings in Microsoft Office Trust Center. Choose ‘Disable all macros with notification’ as default:

    Disable Macros With Warnings Settings in Trust Center

    ‘Disable all Macros With Notifications’ in Trust Center

  3. Use Windows Update to keep Microsoft Office and Windows up-to-date with the latest patches.
  4. On 64 bit Windows please activate ‘enhanced Protection Mode’ in Internet Explorer. This will force Windows to run Internet Explorer in Container Mode at low integrity level. In addition, please download all files to the default download location.
  5. Enable SmartScreen Technology in Internet Explorer. Malicious files are downloaded from malicious sites. SmartScreen Technology supports you by blocking downloads from known malicious sites.
  6. Try working with standard user rights. This limits the impact of an attack to the operating system
  7. The last and perhaps the most important rule: Think twice before you click on a word or excel file stored in an untrusted site. As a rule of thumb the entire Internet is an untrusted site, and of course all email attachments.

There’s really no need to panic. Macro viruses are no rocket science. The available protection measures are enough to deal with this old stuff.

Have a good weekend!

How to mitigate Drive-by-Downloads Attacks

24 January 2014

Bad news for Adobe Flash Player users. A new critical vulnerability (CVE-2015-0311) was found in Adobe Flash Player 16.0.0.28… Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.

In the Adobe Security Bulletin we read ‘We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8 and below.’

Drive-by-download (DbD) attacks are a often used technology to exploit vulnerabilities in programs. In his post ‘How malware works: Anatomy of a drive-by download web attack’ John Zorabedian from SOPHOS gives a detailed description about how DbD attacks work.

The shocking fact is: It’s not even necessary to click a link on the malicious site. If you just load the site the malware download could start, automatically and silently in the background.

The good news is that we could almost completely deactivate this feature, namely without considerable comfort loss. The Security Technical Implementation Guide (STIG) for Internet Explorer 11 shows the direction.

STIG’s are primarily used to secure the information systems of the Departments of Defense, but this should not deter us from using STIGs to secure our systems at home, and of course in our businesses.

STIGs are available from http://www.stigviewer.com/stigs for operating systems, web servers, databases or applications. They are an excellent means to secure the devices that are connected to the internet against malicious attacks. But, be aware that 100% safety could not be achieved.

Applying STIGs to Microsoft operating systems and applications is very easy if you are familiar with the registry editor regedit.exe and the local group policy editor gpedit.msc. Since only standard windows security options are used the recommended settings could be applied to all computers.

Back to the Drive-by-Download attacks. To prevent DbD attacks we have to configure Internet Explorer such that downloads not consented by the user are blocked. Sound’s easy, doesn’t it? We have just to work through the STIG for Internet Explorer 11 and implement the relevant fixes:

Step 1: Block non user-initiated file downloads

The DoD requirements block unconsented downloads from the Restricted Sites Zone and the Internet Zone. Since I would not trust computers in local networks as well I would strongly recommend to block unconsented downloads from all zones.

Implement at least Fixes from Finding Ids V-46705 and V-46643

Step 2: Block non user-initiated file downloads for Internet Explorer Processes

Implement Fixes from Finding IDs V-46779 and V-46781

Step 3: Enforce Protected Mode

Protected Mode protects Internet Explorer from exploited vulnerabilities by reducing the locations Internet Explorer can write to in the registry and the file system. I would recommend to enforce protected mode for all zones.

Implement at least Fixes from Finding IDs V-46685 and V-46681

Step 4: Enforce Enhanced Protected Mode on 64 bit Windows Systems

Implement Fix from Finding ID V-46987

That’s it for today. Please keep in mind that 100% safety could not be achieved, even if you implement the 155 fixes from the IE11 STIG.

Don’t Panic! And have a good weekend.

Why is Internet Explorer security such a challenge? More tips to minimize the risk

29 November 2014

In his Report ‘Why is Internet Explorer security such a challenge?‘ Stephen Bigelow talks about Internet Explorer (IE) security and attack trends. In section ‘Tips to minimize the risk’ he introduces the standard mitigation measures.

In addition, IE 11 and Windows 8 provide security functions which can be activated or adjusted to make Internet use less risky:

1. Set User Account Control (UAC) to ‘Always notify me’

With UAC set to ‘Always notify me’ you will be notified if malicious code which is executed in Internet Explorer tries to install software or tries to make changes to your computer.

2. Activate SmartScreen Filtering to reduce the risk of phishing attacks

SmartScreen Filtering was introduced with IE8 and was integrated in the OS with Windows 8. SmartScreen Filtering checks web sites and files, after you clicked on the link, against a list of harmful sites and blocks downloads from these sites.

If the SmartScreen Filter blocks a malicious site you will get an error message like

SmartScreen Filter Error Message

SmartScreen Filter Error Message

To activate SmartScreen Filtering check Enable SmartScreen Filter in the IE Advanced Security Options.

3. Activate Enhanced Protection Mode (EPM) in the Internet Explorer Advanced Security Options

With EPM activated IE runs in an AppContainer at low integrity level. Write access to resources at medium or high integrity level, e.g. Windows system resources, is blocked.

4. Try to work without administrative rights

From my point of view this is the most important advice at all. Without administrative privileges it is very unlikely that malicious code executed by Internet Explorer could attack the operating system because this is blocked by the User Account Control (UAC) in Windows.

Even if you activate only SmartScreen Filtering and EPM, Internet use will become less risky.

Moon over Wangalm, Austria. 47°22'54.1"N 11°06'35.4"E

Moon over Wangalm, Austria. 47°22’54.1″N 11°06’35.4″E

Have a nice weekend.

A brief introduction to Trusteer Apex Advanced Malware Protection

18 October 2014

The Trusteer approach to malware protection could be ground-breaking in the defence of zero-day exploits and phishing attacks.

Trusteer analysed millions of applications exposed to the Internet and created lists of valid application states and operations in a database.

For example, saving a web page to OneNote is a legitimate operation when it’s run from a process created by the user. In this case the Windows Explorer is the so-called parent process. If this operation is performed by an internet explorer process that has no valid parent process, it is very likely that a malicious operation is executed.

A watchdog process is monitoring the applications exposed to the Internet. If an application executes a sensitive operation the watchdog process checks its database and approves the operations if it’s valid. Invalid operations are rejected.

Brilliant idea! A watchdog process that checks the state of an application. I would appreciate it to get this for my windows phone. The ‘Here Drive+’ app hangs sometimes, in particular in foreign cities when you need it the most. A watchdog process could check the state and restart the process in such cases. This would be very helpful.

For more details about Trusteer Apex see the Trusteer Apex Product Flyer.

Unfortunately there are some minor flaws.

Trusteer Apex monitors only applications exposed to the Internet like Browsers, Java applets, Flash player or Office applications. Although the technology could also be used for protection against traditional malware like computer viruses, the product does not support this.

This means that Trusteer Apex is only useful in addition to traditional security products like an antivirus product.

Remember that every additional product increases the attack surface of your computer or network. It is not only the continuous patching to mitigate known vulnerabilities. Trusteer Apex receives e.g. application state updates across the internet, which could be tampered by an attacker. Moreover, the Trusteer computer scientists get their raw data from millions of computers operating in untrusted networks. If an attacker tampers some raw data and masks malicious states as valid, the entire installed base could be tampered.

This is the first signs of paranoia. I’m doing definitely too much threat modelling at the moment. But remind the words of Sigmund Freud:

‘The paranoid is never entirely mistaken.’

Just think of the impact of an attack against the master pattern database of a well-known provider of anti-malware software…

Don’t Panic!!

Word of the day: Malvertisement

2 October 2014

Lots of exiting news at the moment. The Bash Shellshock bug would be surely worth a post. But the Word of the Day from 30 September, Malvertisement, is such terrifying, that I decided to write about this today.

What makes Malvertisement particularly dangerous is that almost every website with advertisements could be potentially dangerous. In addition, the way your computer will be hijacked, is based on standard internet technology like pop-up Windows.

‘Malvertising is becoming so prevalent that many security experts recommend that users block all pop-up ads and create an application whitelist that will only allow their computer to run programs that have been positively approved.’ Ok, this sounds like a plan, but application whitelisting is a hard job, in particular for home users.

Using Internet Explorer 11 on Windows 8.1 in kiosk mode will mitigate the risk somewhat because Internet Explorer runs in an isolated AppContainer at the lowest integrity level. Although the handling of Internet Explorer on a laptop with Windows 8.1 is a little getting used to, the additional security delivered by the AppContainer technology makes the change easy for me.

For advanced security requirements the usage of micro virtualization technology makes sense. Micro virtualization systems can isolate applications from each other as well as from the operating system.

Don’t panic! Have a good day.

The neverending local administrative rights story

19 July 2014

Last week I discussed IT security related topics with the computational biology systems group. It’s hard to believe, but most of the scientist work with Linux, most of the time with a bare bash (Bourne-again shell).

What surprised me was that no scientist works with permanent super user rights. Everyone works with a standard user account, but has the option to switch context with SUDO if necessary. Very impressive!

‘Way of working’ is an essential part of every security strategy. Sometimes large security gains could be achieved with small changes to the way of working, at a fraction of the cost of technology based measures.

With Windows users I have endless discussions about the pros and cons of working with permanent administrative rights. There are good reasons for working this way, but as a result, we create a security hole from the size of a barn door that may compromise all other security measures.

On 26 April 2014 Microsoft informed in ‘Microsoft Security Advisory 2963983’ about a critical vulnerability in Internet explorer. In ‘Security Bulletin MS14-021 – Critical’,  published on 1 May 2014, we find some details about the vulnerability and the best reason to end this discussion once and for all:

‘An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.’

Bingo!

Waiving permanent administrative rights must not have serious disadvantages for user productivity. Microsoft implemented a technology similar to SUOD with Windows Vista.

Windows User Account Control (UAC) allows standard users to execute functions where administrative rights are required. If this is the case, UAC prompts for administrative privileges before executing the command.

The solution in just 3 steps:

  1. Communicate the new policy and new way of working to users with local admin rights
  2. Create a local account Useridloc and add account Useridloc to local administrators group
  3. Remove account Userid from the local administrators Group

When UAC requests administrative privileges the user inputs the credentials of Useridloc.

Please note: Since users can re-assign themselves to the local administrators group please audit compliance with the policy.

By the way, if Useridloc is used with runas (the windows command for SUDO), commands could be executed directly with administrative rights.

Welcome back to the comfort zone!