Why is Internet Explorer security such a challenge?

Web browsers such as Microsoft Internet Explorer provide access to a burgeoning wealth of tools for tasks ranging from online investing and banking to using apps and data in the cloud.

But browsers like Internet Explorer (IE) are little more than communications applications -- replete with security oversights and flaws that can be exploited to compromise your data and put enterprise systems at risk. Let's examine the most common flaws of modern Web browsers and consider ways to reduce Internet Explorer security risks.

Basic browser vulnerabilities

So how are modern Web browsers attacked? There are basically three broad angles of attack that seek to compromise the operating system, the browser directly or communications taking place on the network.

Operating systems are typically breached with malware that modifies an OS kernel or component directly, takes advantage of a known security flaw such as a buffer overflow, or inserts itself as an OS background process.

Malware attempts to function through the CPU's privileged (or unrestricted) mode, which allows it to affect the memory or processing of any application. If successful, the malware can read or change the browser memory space -- essentially exposing the browser and its activities.

Next, the browser and its components may be hacked through malware or direct malicious activities. Attacks may focus on compromising the browser's main executable, browser components like Java, or browser plug-ins such as ActiveX. If successful, the browser's activities and communications are exposed to attackers. Both of these approaches can be facilitated through common practices, including sending users to malicious websites or emailing them HTML documents. Simply visiting or opening such content can launch a malware installation.

Finally, the browser's network communication can be intercepted and potentially modified or redirected once packets are outside of the computer. This might occur through network packet-monitoring tools, although the level of knowledge and sophistication required to use such tools makes this attack type rare.

IE attack trends

So how do these attack types take shape with Internet Explorer security? It might seem like every "Patch Tuesday" brings a new fix or tweak for Windows and IE, but regular updates are critical to keep pace with crackers who are determined to subvert Microsoft's complex code base. IE security patches generally address five different vulnerabilities.

Distributed denial-of-service attacks. A DDoS attack generally seeks to make computer or network node unavailable to its user or users. DDoS attacks can be external -- flooding a network server with so many bogus requests that it cannot respond to legitimate requests.

For IE, DoS attacks are usually launched from malicious websites designed to run malicious code. The malicious code takes advantage of exploits in the browser's code, such as buffer overflows, which trigger errors causing the server to fill disk space or use all memory or processor cycles. This essentially saps the computer's resources and prevents IE from working.

DDoS attacks are perhaps the broadest and most common tool for IE hackers, and a huge percentage of Microsoft patches work to prevent these incidents. Fixes often span several IE versions. For example, Microsoft Security Bulletin MS14-056 addresses 14 reported vulnerabilities in IE 6 through IE 11.

Bypass attacks. A bypass attack is designed to break or circumvent a browser's security features and give attackers more rights on the target system -- even rights equal to those of a user. This can allow attackers to see or download files or perform other malicious actions on the system.

Bypass attacks are usually launched on IE from malicious websites that can trigger code to exploit the vulnerability. For example, MS14-056 includes a fix for one bypass flaw that exposes the address space layout randomization protection mechanism in IE 6 through IE 11.

Privilege attacks. Privilege-escalation attacks can exploit bugs, flaws or poor configurations in Windows or IE to access computer resources that are normally protected or reserved. Once an attack gains more privilege, the software (and attacker) can perform actions on the computer that are unknown and unwanted such as deleting files, accessing private information or installing malware.

For example, Microsoft Security Bulletin MS14-051 addresses 25 reported vulnerabilities in IE 7 through IE 11 and includes a fix for privilege vulnerabilities. Privilege attacks are usually launched through malicious websites.

Information attacks. Information attacks are a variation of privilege attacks. They launch code from malicious websites designed to expose data on target systems. For example, Microsoft Security Bulletin MS14-035 addresses 58 reported vulnerabilities in IE 8 through IE 11, including one in IE 10 and 11 that could allow an attacker to read files on the local system through a malicious website.

Executable code attacks. Finally, IE attacks may allow malicious websites to run executable code on the system (such as JavaScript) that might expose data or bypass the browser's "sandbox" mode to give attackers access to more rights or data than expected. For example, MS14-035 includes fixes for multiple executable code vulnerabilities in IE 6 through IE 11.

Tips to minimize risk

So what can computer users do to minimize browser risks? Perhaps the most critical tactic for maintaining browser security is to take full advantage of Microsoft's Patch Tuesday and apply security patches for operating systems and browsers as quickly as possible. The longer you wait to apply important fixes, the more time that malware and malicious websites have to wreak havoc -- zero-day attacks are becoming commonplace.

For individual users, this typically requires configuring Windows Update to automatically download and install patches. Enterprise environments may prohibit individual patching and utilize Windows Server Update Services for timely centralized system patching to nodes across the LAN. If it is not practical to keep IE updated regularly, consider using an alternative browser such as Google Chrome.

In addition, employ high-quality antimalware tools running in the background. Modern tools can constantly scan files for the latest malware. They can also watch incoming network traffic patterns to warn against other types of attacks, such as intrusion-detection attacks. Antimalware software relies on current signature files, so it is critical to keep those files updated before each system scan.

Consider minimization tactics like disabling Java scripts or disabling unneeded plug-ins such as ActiveX and Adobe Flash. This will dramatically change the level of interaction that you enjoy with some websites, but it can prevent common attacks that rely on Java and plug-ins.

Another minimization tactic is to browse only from a "least privilege" user account -- without administrator rights -- which can severely limit the potential for privilege-escalation attacks.

Patching and security threats exploded with the broad adoption of the Internet in the 1990s, but the threat is even more severe today as corporations and individuals depend on the Internet for mission-critical business tasks. Today's attacks aren't just an annoyance; they can do serious long-term financial and legal damage. This is why a user's security awareness is so important.

No amount of patching and configuration control can stop a user from carelessly opening an HTML email attachment or visiting a questionable website -- effectively making the choice to welcome an attack. User browsing habits must complement a sound security posture in personal and professional settings.

Επιστροφή...

Update cookies preferences