Tag Archives: NVD

What is the Most Secure Web Browser?

23 September 2018

For some weeks now I am busy with patch strategy and vulnerability management. When new critical vulnerabilities shows up two questions must be addressed:

  1. How fast must we patch the vulnerable systems?
  2. What vulnerabilities must be patched with highest priority? Or mitigated, if a patch is not available in due time.

Speed is the key in cyber security. The faster we find and patch vulnerable systems the greater is the chance that cyber criminals cannot exploit the vulnerabilities.

The exploit is the weapon in cyber warfare. A vulnerability as such increases the potential risk only. Once an exploit is published that can leverage the vulnerability, the vulnerability becomes a real risk. And if the exploit is “in the wild”, i.e. if the exploit is actively used by cyber criminals for attacks, the IT organization is on red alert.

Unfortunately, no one knows when an exploit spreads in the wild. Therefore, the cautious answer to the above questions is:

“The moment an exploit for a critical vulnerability is published it must be patched directly, at least on critical systems. If a patch is not available proper protective measures must be applied to mitigate the risk effectively.”

Browsers are the most critical systems because they are used in a hostile environment. Browsers are very complex applications, thus prone of errors.  Between 2013 and 2017 about 11% of 40671 vulnerabilities in total were found in the 4 major browsers Chrome, Firefox, Internet Explorer and Edge.

Market Share Browsers 2013 - 2017

Market Share Browsers 2013 – 2017. Data source: StatCounter

Browser Vulnerabilities 2013 - 2017

Browser Vulnerabilities 2013 – 2017

It remarkable to see that 67% of all browser vulnerabilities are related to IE, Edge and Firefox although they have only a small market share (11% in 2017).

Exploit publication date relative to CVE publication date

Exploit publication date relative to CVE publication date 2013 – 2017

The graphic above shows the number of exploits that are published within one month before the CVE is published compared to the number of exploits published within one month after the CVE is published.

Except for Chrome and Firefox the majority of exploits is published after the vulnerability is published. Nevertheless, we have to patch immediately on publication of a CVE.

How many exploits spread in the wild? This question is hard to answer. The Symantec attack signatures give a useful indication. “An attack signature is a unique arrangement of information that can be used to identify an attacker’s attempt to exploit a known operating system or application vulnerability.” 

Exploits in the Wild 2013 - 2017

Exploits in the Wild 2013 – 2017

This is an amazing result, isn’t it.

Have a great week!

Data sources

  1. NIST. NVD Database. https://nvd.nist.gov/
  2. Offensive Security. Exploit Database. https://www.exploit-db.com
  3. Andrea Fioraldi. CVE Searchsploit.
    https://github.com/andreafioraldi/cve_searchsploit/tree/master/cve_searchsploit
  4. NIST. EXPLOIT-DB Reference Map. http://cve.mitre.org/data/refs/refmap/source-EXPLOIT-DB.html
  5. Symantec.com. Attack Signatures.  https://www.symantec.com/security_response/attacksignatures/

Software manufacturers have no sense for IT security – Part II

23 October 2014

Sometimes malware protection software works too well. I found some emails with malicious executables, disguised as pdf files, in the attachment in my junk-mail folder. Unfortunately the anti-malware system removed the attachments and replaced them by the filename.

Some weeks ago a new kind of malware that resides solely in the registry was in the news. To implant Poweliks attackers must exploit a vulnerability of the system and, the good faith of the users. Pdf or rtf documents with embedded malicious code are used very often to start the attack.

Just why is the Adobe Reader such a popular tool for attackers?

Adobe Reader is very popular for viewing of pdf documents, and very notorious for its vulnerabilities. The list of known vulnerabilities published in the National Vulnerability Database is really long, and some of them are perfectly suited to implant malware. By the way, Adobe Flash Player is as popular as the Adobe Reader for attackers, and the list of vulnerabilities is of comparable size.

Fortunately advanced security options like a sandbox are available to defend malicious attacks, but these are not activated during a standard installation. Even for enterprise users the standard installation procedure must be pre-configured.

I can’t find a reason why Adobe does not install the Reader with advanced security options enabled by default. Apparently, Adobe is not interested in protecting the privacy and security of their customers.

Fortunately the National Checklist Program Repository provides ‘detailed low level guidance on setting the security configuration of operating systems and applications’.

For Acrobat Reader X a checklist is available which could be easily adapted to the Acrobat Reader XI. Although this checklist is meant for pre-configuring installation packages the configuration hints could be used to secure existing installations as well:

Navigate to menu Edit/Preferences.

In category General section Application Startup activate option Use only certified plug-ins.

In category Security (Enhanced) set the protection options as described below:

Adobe ReaderEnhanced Security Settings

Adobe ReaderEnhanced Security Settings

[1] Enable sandboxing for all files

[2] Enable Enhanced Security

[3] Disable all Privileged Locations.

Although this sounds somewhat paranoid viewing of pdf files is much more secure now. A pdf file is now opened in a sandbox running at the lowest integrity level. Most features are disabled by default, but could be enabled with just one click.

Enjoy!