Browser Exploits – Legitimate Web Surfing Turned Death Trap
On January 7th, the Mozilla Foundation disclosed a flaw in Firefox 72 that made it possible for attackers to access computers running the browser. Although few details have been released regarding the vulnerability, we do know that Mozilla released a new version of the browser almost immediately to prevent the flaw from being abused. The development team at Mozilla has additionally urged anyone using the browser to update to the newer version to stay safe.
The flaw that allowed attackers to take over computers running Firefox 72 is called a browser exploit. In this post, we will explore the world of browser exploits and how to prevent them. But first, to get a more complete understanding of browser exploits and how they work, we need to examine exploits in general.
Exploits and Browser Exploits
An exploit is code that takes advantage of unintentional flaws in software. With a powerful exploit, an attacker can access networks, elevate privileges, and move laterally through systems to damage or collect and exfiltrate data and money. Sometimes, exploits come as part of a package, which is referred to as an exploit kit.
What Is a Browser Exploit?
It may sound elementary, but browsers are a computer user’s gateway to the internet. Everyone uses a browser to access the web, whether it’s Chrome, Safari, Firefox, or another choice. The browser then presents users with content, such as web pages, videos, and images.
The development teams behind browsers, such as Google and Mozilla, are constantly working to prevent such scenarios. But as we saw with Firefox 72, all it takes is one bug in the code or one misconfiguration to create a vulnerability that allows attackers to break through a browser’s defenses. And since browsers continuously interact with potentially infected websites and applications on the web, they are constantly in danger.
So, just what can a browser exploit do once it’s on a computer? Attackers use them to harvest user credentials, deliver ransomware, execute malware, install malicious crypto mining software, and elevate privileges.
How Do Attackers Trick You into Visiting Infected Sites?
In order to infect users, attackers first need to lure their victims into performing an action that executes the malicious script. Here are some tricks attackers use to get people to visit websites where their infections are being hosted.
Email Links & Attachments
In this old, yet still prevalent threat, attackers use links and attachments in legitimate-looking emails to infect their victims. The typical attack goes like this: Attackers insert malicious content into otherwise-safe websites or create their own malicious websites. They then send out emails with links or attachments, directing recipients to the infected website. When the victim receives the email and clicks the link or opens the attachment, he or she is directed to the website where the infected payload is remotely installed onto their computer.
Watering Hole Attacks
Watering hole attacks attempt to compromise a specific group of users by studying their surfing habits to see what site they commonly visit. Attackers then find a vulnerability on that specific site, so when their target user visits it, he or she gets infected. This method is often used with high-value targets, such as corporate users or government employees.
Exploit kits are all-in-one, rapidly deployable threats. Although they are far less common than they used to be, they are still a potent attack method. Typically, the attacker finds a site to infect, waits for victims to land there, and then scans the browser, operating system, and software, looking for vulnerabilities. If it finds one, it redirects the victim to the exploit kit’s landing page and delivers the payload.
IE: The King of Vulnerable Browsers
All browsers are vulnerable to browser exploits. The real measure of browser security is how long it takes a development team to respond to and fix vulnerabilities. At the moment, the teams at Chrome and Firefox have the fastest response time. Using one of these browsers doesn’t guarantee your security, but it’s a good start.
And then there is Internet Explorer. Internet Explorer has long been considered one of the riskiest pieces of software out there. But since it was installed by default on all computers running Windows operating systems, most consumers stuck with it, despite its flaws. In fact, until Chrome came along, many consumers didn’t even know that they had a choice in which browser they used.
Even when Internet Explorer was at its prime, it didn’t follow web standards set by the W3C, which forced developers to come up with new and perhaps less-secure ways of getting images and text to display. Then came IE 6, which was chock-full of vulnerabilities that often took Microsoft too long to address and patch. IE 7 was an improvement, but it was still behind other browsers at the time, such as Netscape and Opera.
One Nasty Attack
The vulnerabilities in Internet Explorer have enabled a large portion of the malware and adware on the internet. Some of the discovered vulnerabilities affect all versions of the browser, while some only affect certain versions. Some of the vulnerabilities can affect users even if they merely have Internet Explorer installed on their machines but actually use another browser to browse the internet.
One of the worst recent Internet Explorer exploits was Double Kill (CVE-2018-8174), a remote code execution vulnerability in the Windows VBScript engine. Discovered in May 2018, it uses a “use-after-free” vulnerability with Microsoft Word as an attack vector. The Word files are sent to the user as an email attachment, which then opens Internet Explorer; this causes an executable program to open in the background, which allows Double Kill to take over the victim’s computer.
Though Microsoft released a patch for the vulnerability shortly after it was discovered, Double Kill was considered by many security experts to be the worst exploit of 2018. Chinese researchers suspect that the exploit was part of a state-sponsored, decade-long operation against the Chinese government. Although portions of the exploit seem to be written in Yiddish, of all languages, most experts say this is a not-so-clever red herring and attribute the attack to APT Group APT-C-06, aka Dark Hotel, out of North Korea.
Thanks to the countless threats to security, Microsoft has stated that Internet Explorer should no longer be considered a browser; it should instead be used as “a ‘compatibility solution’ for enterprise customers to deal with legacy sites that should be updated for modern browsers.” In his post, Microsoft’s Lead for Cyber Security, Chris Jackson, pleads with organizations to switch away from the browser, stating: “Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days.”
And just as work on this very post was wrapping up on January 17th, another Internet Explorer Zero Day (CVE-2020-0674) was discovered. As of now, there is no patch for the exploit and its scope is not yet known. This particular exploit is a remote code execution flaw, which allows infiltrators to get the same level of access as the current logged-in user. So, for example, if the current user is logged in with admin rights, the attacker is able to gain admin rights, too. And although it’s too early to know definitively, some experts are wondering if this attack is somehow connected to the aforementioned Mozilla Firefox 72 attack.
So what is the lesson here? Clearly, lesson number one is to stop using Internet Explorer immediately if you are still using it. Although 8% of organizations are still using it for their older apps, it should be abandoned in favor of one of the many modern browsers available today.
Lesson number two is that all browsers, no matter how security-focused they may be, at some point may fall prey to browser exploits. The key to protecting critical systems from the dangerous zero-days exploits that browsers can introduce is to have a robust endpoint detection solution.