While there may be no definitive answers to those questions, one certainty remains: web browsers have become the vector of choice for malicious attackers.
They have become the prime targets in the so-called cyberwar now waging between consumers and enterprises on one side and the “bad” guys (whether they're members of the Russian Business Network or more loosely organized criminal syndicates) on the other. As such, their security — the real or the perceived lack thereof — is a critical issue to enterprises, as well as typical end-users.
Just how secure are the browsers we use? That depends on who you ask.
Not surprisingly, neither Microsoft's Internet Explorer (IE) nor the Mozilla Foundation's Firefox is free of security vulnerabilities, according to the security researchers at Symantec.
A decline in IE flaws can be attributed to the fact that the number of vulnerabilities in other browsers went up, says Zulfikar Ramzan, a principal researcher with Symantec's security response unit. He says that Safari, Apple's browser for its Mac OS X operating system, became a larger target, with only four attacks reported in the last half of 2006, but 25 in the first half of 2007.
The Opera browser's vulnerability numbers shifted slightly upward as well, climbing from four to seven.
Security enhancements to IE also have helped, notes Roger Thompson, the chief technology officer at Exploit Prevention Labs. “Internet Explorer 7 is actually a pretty secure browser, about the same as Firefox,” he believes. He also claims that Opera is more secure than Firefox.
That decrease in IE vulnerabilities could be related to market share, Ramzan speculates. IE's share of the browser market declined from 81 percent to 78 percent from November 2006 to October 2007, while Firefox, Safari and Opera have all seen increases — Firefox's from 13 percent to 15 percent, Safari from four percent to five percent, and Opera from .7 percent to one percent, according to Net Applications, which tracks browser market share.
“The attackers are very profit-motivated,” Ramzan adds. “And they want an exploit to reach a large number of potential victims, so if a particular browser becomes more popular, we notice more vulnerabilities because more people are trying to find them.”
It could be argued — when comparing market share numbers with the number of vulnerabilities — that IE is actually more secure than the other web browsers currently available.
“Microsoft has to balance the needs of the market versus security,” says Peter Christy, a principal analyst with the Internet Research Group, a market consultancy. They do as well or better than anyone else, he adds.
“When I listen to security experts commenting on the intrinsic security of Microsoft's products, Microsoft gets high marks,” Christy says. “All of Microsoft's products have gone through a full security development lift, and we see significantly more resilience against attack.”
But others feel this isn't a competition. “It shouldn't be Firefox versus IE,” says Pete Lindstrom, a senior analyst with the Burton Group. That's because both browsers have been hit with a slew of vulnerabilities in the past two years, he adds.
For its part, Microsoft responded to SC Magazine's request for comment with a prepared statement mentioning, among other issues, IE 7's new “protected mode” of operation when running on top of Windows Vista, its new operating system. “IE 7 runs in isolation from other applications in the operating system,” the company said. “Exploits and malicious software are restricted from writing to any location beyond temporary internet files without explicit user consent.”
Like night and day
A key issue in the browser war is comparing Microsoft's product development techniques to those of the Mozilla Foundation. They're like night and day.
Mozilla relies on open source methods. The Microsoft way, of course, is a totally closed development environment typical of major commercial software vendors.
The methodologies play a key role in the leading browsers' security posture, according to those on both sides.
Window Snyder, CSO at Mozilla, is, quite naturally, a firm believer in the open source community's “20,000 eyes” style of product development. “We have 20,000 people on any given night, and they test [security patches] on 20,000 different machines,” she says.
This greatly expands the “breadth of testing” on Firefox, she says. Automated testing in a lab can't begin to match the quality of the people testing Firefox in the real world, she says.
It also means that when vulnerabilities are found Mozilla delivers fixes quicker than Microsoft, Snyder says. “It allows us to get a lot of testing done in a short period of time, and we can get security updates out right away. We don't have to wait for a specific day, such as Microsoft's monthly round of Patch Tuesday fixes.”
The “many eyes” process
Christy agrees that the “many eyes” process is a positive feature. But, on the other side, he questions how Mozilla controls procedures. “My guess is that the Mozilla engineering process is less structured than Microsoft's, which has dramatically changed the process by which it develops software,” he says. “When I talk to security experts, they tell me that what Microsoft is doing to build secure products now represents best practices.”
Still, the complicated ecology of browser applications and the web is not under the control of Microsoft, Christy points out. There's a whole cluster of things that people use in conjunction with browsers and they must be secure too, he believes.
As Lindstrom points out, application plug-ins, such as Flash, ActiveX controls and JavaScripts, have become browser attack points. “The less complex the software, the more secure it is,” he says.
The extensibility of browsers adds to the attack surface and complexity with more opportunity to break things within web browsers, he says. “This is the tradeoff between flexibility in development and running applications securely.”
Brian Chess, the co-founder and chief scientist at application security company Fortify Software, takes the ecology issue a step further. He says that many of the underlying web standards have created many browser-related security problems.
“Writing a secure application for the web is really tough,” he says. “Why? Because of the standards for browsers.”
As an example, he points to the same-origin policy. This policy, which dates back to Netscape Navigator 2.0, prevents a document or script loaded from one origin from getting or setting properties of a document from a different origin. It essentially assumes that it is not safe to trust content loaded from any website.
“It says that a piece of JavaScript can look at web pages only from the same domain,” Chess explains. That becomes a security issue when developing mashups, such as combining Google Maps with an overlay. The developer has to work around the security mechanism built into browsers, so developers bypass things they don't like and create security problems, Chess says. He also believes cross-site scripting could be prevented by forward-looking standards development.
Another example Chess points to is session management, a capability that permits, among other things, logging into and out of websites, particularly those offering premium content.
“Browsers don't have support for the idea of a session for authentication,” Chess explains. That puts the burden on the web application developer.
“People get that wrong all the time,” he says. “They do it in an insecure fashion by generating session identifiers that are easy to guess, and that allows an attacker to take over a session.”
One more issue is cross-site request forgeries, which re-direct website visitors to malicious sites rather than to the legitimate site. “It's a problem browsers could fix,” Chess says.
His cure for these browser ailments: The Mozilla Foundation, which, he claims, controls a not insignificant chunk of the browser market, and the Apache web server organization, which controls a not insignificant chunk of the web servers, should get together with Microsoft.
Then, Chess says, they could create more security protocols and make it easy for web developers to create great and secure applications.
TIGHTENING SECURITY:
A 'zero footprint' browser
A British company is betting that browser users — particularly those in enterprises — will pay for airtight security when they search the web. The company, EISST (Enterprise Information Security Systems & Technologies), recently released what it calls a “zero footprint” browser that it claims provides a significantly enhanced security profile compared with Firefox and Internet Explorer.
The London-based company's e-Capsule Private Browser offers three key security features lacking in the others now available, according to John Elsh, a sales and marketing manager with EISST. It not only stores all of a user's temporary internet data in an encrypted file with block level AES256 encryption, it provides anonymous browsing with “onion routing,” while also running as a portable “zero footprint” application that does not integrate with the underlying operating system.
Encrypting what EISST calls the profile file is important because “there's no way your navigation experience can be exposed to third parties, or even the operating system,” says Elsh. “We encrypt everything you save online — cookies, browsing history, even your cache.”
Users gain access to the profile via a 256-character encrypted pass code, which can contain spaces and special characters. “This makes it easier to remember and tougher to break than standard passwords, Elsh says.
With the other browsers, he says, “if I gain access to your Windows password, I have access to your browsing environment, and I know everything you did while online.”
The second layer of security, onion routing, enables browser users to hide their identity to servers on the internet. Onion routing, which is based on open source code, relies on a series of proxy servers (“onion routers”), which encrypt and route web server traffic in an unpredictable path.
The end result of onion routing is that web servers see the IP address of only the last
visited onion router, not the address of the original browser user. (These proxy servers
are generally operated by individuals.)
Finally, the e-Capsule Private Browser does not register itself with the Windows registry, says Elsh. It does not use any system resources, and it's not using system libraries or the registry, he says.
This screens it from any operating system vulnerabilities and the operating system does not have an entry point into the browser, he explains.
Like many other non-IE browsers, including the social browser Flock, the e-Capsule Private Browser relies on Mozilla's Gecko rendering engine. That means the user experience is very similar to using a normal browser, says Elsh.
With Firefox, Internet Explorer and Opera, all free, the only question remains is whether users will pay $20 for EISST's product.
“Encryption is easy to do,” Elsh admits, noting that there are extensions for Firefox and IE that add this capability.
“The problem is after encrypting, how do you manage it?”
EISST believes its integrated approach to encrypting data is the answer.
— Jim Carr