Making Browsers Hard TargetsBy Mike Rothman
Check out this great secure browser guide from the folks at Stach and Liu. The blog post is OK, but the PDF guide is comprehensive and awesome. Here is the intro:
Sometimes conventional wisdom lets us down. Recently some big names have been in the headlines: Apple, Facebook, Microsoft. They all got owned, and they got owned in similar ways:
- Specially-crafted malware was targeted at employee computers, not servers.
- The malware was injected via a browser, most often using malicious Java applets.
- The Java applets exploited previously unknown “0day” vulnerabilities in the Java VM.
- The Internet browser was the vector of choice in all cases.
And an even better summary of what it tells us:
- Patching doesn’t help: It goes without saying that there are no security patches for 0day.
- Anti-virus won’t work: It was custom malware. There are no AV signatures.
- No attachments to open: Attacks are triggered by simply visiting a web page.
- No shady websites required: Attacks are launched from “trust-ed” advertising networks embedded within the websites you visit.
And the kill shot: “We need to lock down our browsers.” Just in case you figured using Chrome on a Mac made you safe…
The PDF guide goes through a very detailed approach to reducing your attack surface, sandboxing your browser and other critical apps, and changing your browser habits.
Funny enough, they demonstrate locking down the Mac Gatekeeper functionality to limit the apps that can be installed on your device. And the software they suggest is Little Snitch, an awesome outbound firewall product I use religiously. They didn’t mention that as another means to secure your browser but I get some piece of mind from using single-purpose apps (built with Fluid) for sensitive sites, and locking down the outbound traffic allowed to each app with Little Snitch.
This level of diligence isn’t for everyone. But if you want to be secure against the kinds of attacks we see targeted at browsers, which don’t require any user activity to run, you’ll do it.
Photo credit: “Target” originally uploaded by Chris Murphy
First, thanks for an excellent resource. This blog is a great community service!
After a decade in anti-spam research, I recently started working on web security so I’ve been getting up to speed on browser vulnerabilities and mitigation.
I see a growing consensus that the browser does too many things in the same place (Authentication, name resolution, HTML rendering, script execution, display management, device management, etc).
Am I correct to observe that most of the emerging strategies involve separating these layers?
The challenge seems to be how to dissociate the components of a browser *and yet* coordinate their operation so that the user experience doesn’t suffer.
I would be curious if there are any reviews or studies of the various approaches to this problem.
By Blaise Pabon