Web Browser Security – Explore Much?

Exploitation is bad. And when a popular business application turns into a big security risk, you have a problem. Many CSOs found themselves weighing that issue in June, when reports surfaced of Web-based attacks exploiting holes in the Internet Explorer (IE) browser.

The sophisticated attacks, believed to be the work of a Russian hacking group called the HangUp Team, compromised the machines of unwitting Web surfers. First, a recently patched buffer overflow vulnerability in Microsoft’s implementation of SSL was most likely used to compromise vulnerable Windows 2000 systems running Internet Information Services (IIS), Microsoft’s Web server. Attackers changed a configuration setting called the “enable document footer” feature, which is used to append files to webpages. In this attack, malicious JavaScript initiated a silent download and install of two Trojan horse programs, says Ken Dunham, director of malicious code at iDefense, a security intelligence company. A combination of holes in Internet Explorer, one patched by Microsoft at the time and one that was not, were exploited.

Many of the websites serving the malicious code were quickly patched or mitigated. Also, Microsoft acted within days, pushing out a Windows configuration change. However, the attacks raised serious questions about the IE Web browser.

US-CERT added to the controversy swirling around IE by suggesting that users might consider switching to another Web browser.

WebSideStory, which monitors Web surfing behavior, saw a 1 percent decrease in the use of Internet Explorer through June, according to Geoff Johnston, an analyst at WebSideStory.

But switching browsers isn’t convenient. Switchers lose bookmarks for favorite websites and cookies that hold passwords and preferences for websites. On the upside: “It’s good for the Internet and the Web if we can get Microsoft to think about security more,” Hofmann says.