Want CNET to notify you of price drops and the latest stories?

A safe browser? No longer in the lexicon

CERT security analyst Art Manion warns that all Web browsers now face similar threats--and some even share similar design features.

4 min read
In November 2003, the CERT Coordination Center first advised Web users to consider using a Web browser other than Microsoft Internet Explorer.

IE's problems at the time were pervasive, and many of them were rooted in its complicated architecture. Vulnerabilities in IE were being reported almost monthly, and users faced risk until Microsoft released updates.

By June 2004, attackers had started targeting IE. Exploits appeared "in the wild" on Web sites that installed malicious software on visitors' computers. This trend culminated in a "zero day" IE vulnerability, disclosed in an attack where malicious software captured information typed into bank Web sites, giving attackers access to victims' accounts.

Since then, there have been two developments. First, Microsoft released security enhancements in its Windows XP Service Pack 2. Second, attackers have begun to exploit vulnerabilities similar to IE's in alternative browsers.

Service Pack 2 makes important security improvements to IE. Though IE's architecture stays fundamentally the same, these improvements go beyond updates that address only one vulnerability at a time. In some instances, SP2 improvements favor security over functionality. Two of the most important improvements are the lockdown of the Local Machine zone and improved restrictions for "chromeless" windows.

Attackers have begun to exploit vulnerabilities similar to IE's in alternative browsers.

Local Machine zone lockdown almost eliminates the ability of Web pages in the Local Machine zone to run scripts. That introduces a defense against cross-domain scripting vulnerabilities, which result from a failure to determine the source of a script. It is crucial for a Web browser to isolate scripts from different domains. For example, scripts from www.cert.org should not be able to access data from www.cnet.com. Nor should a browser treat scripts from a remote Web site as originating on the local computer.

With IE, scripts in the Local Machine zone have much greater privileges than in the Internet zone; an attacker's Web page in the Local Machine zone could download and run programs of the attacker's choosing. Local Machine zone lockdown limits the actions an attacker can take, making it difficult for an attacker to run malicious programs.

"Chrome" is what makes a window look like a window: a border, an address bar, navigation buttons and so on. IE, like some other browsers, allows Web site developers (and attackers) to create windows without chrome. Before SP2, attackers could create deceptive chromeless windows that cover important elements such as the address bar, the security padlock icon, or even the Windows Start menu. This functionality made it easy to mislead users by making a spoofed Web site appear legitimate.

Other browsers, similar threats
All Web browsers face similar threats, and some share similar design features. IE is essentially a wrapper program around two Windows components: the Web browser ActiveX control that handles browser windows and navigation, and the MSHTML rendering engine that displays HTML and runs scripts. Outlook and Outlook Express use MSHTML.

Similarly, Apple Computer's Safari browser is based on an operating system component called Web Kit. The Mozilla Foundation's Web browsers, including the Mozilla suite and Firefox, use the Gecko Runtime Environment, or GRE. A vulnerability in any of these components could affect not only the Web browser but also any other programs using the component parts.

Like the IE Local Machine zone, Mozilla browsers have the concept of chrome scripts. If Mozilla incorrectly determines that an attacker's script from a remote Web site should be treated as a chrome script, the attacker can perform any action the user can, including downloading and running programs.

Attackers are paying attention. Some recent attacks target both IE and Mozilla-based browsers. Another uses an ActiveX control installed by Microsoft Office, again illustrating the dangers of tightly integrating the browser with the operating system (through shared ActiveX technology).

Safe browsing
There is no silver bullet, no such thing as 100 percent secure. Security requires a balance between functionality and cost, and relies on concepts of trust and risk tolerance. With this in mind, here are some recommendations for safe Web browsing.

•  Keep your browser updated. Windows (IE), Mozilla/Firefox, and Apple (Safari) all can be updated automatically.

•  Use caution on the Web. Don't enter sensitive information like passwords or account numbers on any Web site that doesn't use HTTPS to authenticate the site and encrypt information. Don't click on links in e-mail messages. When you visit a sensitive Web site, type the URL into the browser address bar, or use a bookmark you created after typing in the URL. If a browser window looks right but does not have an HTTPS connection, do not enter any information into that window.

•  Consider changing your browser configuration. Disabling scripts can make browsing much safer, but also less functional or enjoyable. In IE, consider locking down the Internet zone and putting regularly used Web sites in the Trusted sites zone.