In Wake Of Attacks, Enterprises Look To Plug Browser Security Hole

For five hours last week, Twitter users were inundated with an avalanche of odd tweets. The messages -- actually snippets of JavaScript -- would execute when a browser user moused over the text. While the lion's share of the tweets were simple pranks, the technique exploited a flaw in Twitter's website that could have allowed malcontents to possibly attack the end user's system.

The vulnerability, known as a cross-site scripting flaw, allowed online miscreants to execute JavaScript code. Even fully patched modern browsers would not have been protected against the attack, according to security experts. The danger comes from emerging features of the Web -- and the ability of users to post content to sites.

The incident underscores that browsing websites, even well-known, "legitimate" sites, has inherent risks, says Michael Sutton, vice president of security research for Web security firm Zscaler.

"If it is not your code, if you did not build it, it is not trusted," Sutton says. "I don't care if it is some partner website, or if it's a social network, or if its some website on the Internet that you know nothing about. They all have to be treated the same; they are all untrusted sites. That is why you need protections in place."

For consumers, experts recommend using two browsers: an up-to-date browser for everyday use and a locked-down browser -- preferably running in a virtual machine -- to go to specific sensitive sites, such as online banks. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, says Sutton.

Instead, companies should rely on training and education to make their employees more informed about the threats online, experts say. In terms of technology, there are three concrete steps that enterprise IT managers can take. The goal is to gain more control over how Web sites impact the browser, says Mike Dausin, manager of advanced security intelligence for HP TippingPoint.

"The more fine-grained control that you can have over these types of sites, the better off you will be," he says.

First, companies should be using the most up-to-date version of their favored browsers, Sutton says. In its latest survey of corporate Web traffic, nearly a quarter of companies were still using Internet Explorer 6, which is missing critical patches and new security features, such as protections against cross-site scripting.

"Enterprises are much more slow to adopt new browser technology than end users," Sutton says. "That's unfortunate, because a lot of these new browsers have really important security technology."

Patching the browser is also an important security measure. Data from vulnerability management firm Qualys has shown that its clients update their browsers about two weeks after a patch is released. Sooner is better, however.

A second measure that companies can take is to block advertisements, says Jeremiah Grossman, CTO of Web security firm White Hat Security. Attackers frequently attempt to get malicious advertisements, or malverts, onto legitimate sites.

When a browser displays the ads, it could execute code or at least create a fraudulent pop-up that attempts to fool the user into going to another, less legitimate, site, experts observe. Perhaps the most high-profile case occurred a year ago, when The New York Times allowed malicious Flash ads on its site.

"I don't think there's any upside for a corporation to allow ads -- they take up employee time, burn bandwidth, and represent risk," Grossman says.

Finally, companies can use Web security services to block bad sites or to detect bad content on the fly. Services such as OpenDNS can block users or groups of users from going to certain types of sites or being redirected to known bad sites.

However, the real problems are the well-known sites that have been compromised in some way, Zscaler's Sutton stresses. For those cases, content inspection is necessary. Intrusion prevention systems can protect against attacks in most forms of network traffic. Other services, such as Zscaler's service, focus on the most popular types of communications, such as Web and e-mail.

"It is not the evil sites, it is the good sites," he says. "It's when the good sites have become infected or are being leveraged, as in the Twitter case."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.