Infected via Browser vulns/bugs ?

[CloneRanger]

We keep getting advised to update our browsers to the latest versions, & numerous vulns/bugs have been discovered for all of them over the years. But have you ever, or know anybody, or heard of, even one person who has been infected due to any of them ?

In over 8 years of surfing to hundreds of malware infected www's, it's never happened to me once !

By the way, i am NOT talking about Java/PDF/ActiveX/Scripting etc etc exploits. Only via browser vulns/bugs.

[Hungry Man]

Browsers are pretty much at the forefront of security, all of them patch pretty quickly and they have such a low market share compared to plugins that they don't often get attacked.

Back in IE5/6 days when it had a large amount of market share and terrible security it was attacked all the time.

They're much harder to attack (due to quick patching and making use of DEP/ASLR) than their plugins.

[tomazyk]

Quote:

Originally Posted by CloneRanger

But have you ever, or know anybody, or heard of, even one person who has been infected due to any of them ?

Not to my knowledge. I have never came accross infection that would use browser exploit as an attack vector. Usually users "install" malware themselves Still I belive updating browsers is a must.

[Cudni]

It would depend, I think, on how deep somebody is immersed in dealing with malware and analysing it. To a casual fighter it boils down to: there is malware, remove it; block it so in future; good luck; next....

[CloneRanger]

Thanks for the replies

I find it both interesting & surprising, that trying to discover if any such vectors have Actually resulted in anyone, or lots of people, getting infected, has so far proved fruitless. And i don't mean just with this thread, but over the years i don't recall hearing/reading about Any ! Plenty of alerts & advisories etc, but no actual events.

Obviously if people have patched, and/or they have other measures etc in place that would prevent infections via Vulns/Bugs, then they were/are safe. But what about ALL the others who didn't patch in time, or at all, and still didn't get infected, from what we know so far anyway. Maybe they didn't visit infected www's, or ?

I used to selectively patch crital etc updates via Technet, but after several XP/SP2 reinstalls & having good security in place, i proved trying to get infected numerous times i was failing. So i decided patching was superfluous to protecting my PC. And so it has continued to be after a number of years.

So even with Internet Explorer v6 with NO updates, & FF v3.6.14 the same, i have been able to cruise to ANY infected www with NO problems, in all this time. The only tricks etc i have seen,are the typical Java/Scripting/PDF/Redirects exploits/prompts etc to try & download some .exe .dll etc. Not once have i experienced a browser vulnerability that highjacked, or even attempted to highjack, it/them.

It "appears" to me that such things are actually quite rare, though not impossible.

[Ranget]

Well once not a long time ago i was using a Browser with no FP or Java at all
just noscript

updated to the latest version and GOt hacked if it's not a Browser exploit i'm going to go crazy

[Hungry Man]

Quote:

Obviously if people have patched, and/or they have other measures etc in place that would prevent infections via Vulns/Bugs, then they were/are safe. But what about ALL the others who didn't patch in time, or at all, and still didn't get infected, from what we know so far anyway. Maybe they didn't visit infected www's, or ?

Browsers make it really clear to patch vulnerabilities. Chrome silently updates, Firefox has always notified of updates, IE updates through Windows.

Even if they weren't great at patching they:
1) All share the market. Attacking IE gets you only half of the market, Chrome and FF even less. Attacking Flash gets you 98% of the market.
2) They are at the forefront of mitigation techniques.

Just because you can't tell it happened doesn't mean it didn't happen.

http://itsecurity.vermont.gov/threats/web_attacks

Quote:

Traditionally, browser-based attacks originated from “bad” websites but due to poor security coding of web applications or vulnerabilities in the software supporting web sites, attackers have recently been successful in compromising large numbers of trusted web sites to deliver malicious payloads to unsuspecting visitors. Hackers add scripts that do not change the website’s appearance. These scripts may “silently” redirect you to another web site without you even knowing about it.

Symptoms of browser exploit (from this):

Quote:

• Your homepage, search page or favorites have been altered
• Options in your Internet settings have been changed
• Access is blocked to certain functions
• Redirection of incorrectly typed URL prefixes (for example, youtype the wrong address or extension and you get redirected to a porn site)

or there may be no symptoms at all, except maybe some extra network traffic if you're watching for that (from here):

Quote:

There aren’t any notable symptoms of Exploit:JS/CVE-2011-1345 because it does not create files or install itself on your computer.

So to conclude that no one has gotten infected because no one has ever known that they got infected is totally wrong,

The question I have is "How likely is it that my browser will be exploited?"

Here's what I've found:

This dated March 2012:

Quote:

Web browsers are a fundamental tool on every computer. It’s not surprising, then, that a lot of effort is put into finding ways to exploit them. Like phishing, exploiting browsers is not a new tactic. It is, however, a threat that requires significant attention going forward

I'm looking for some actual statistics about browser exploits recently. The most recent source I could find dated from 2008:

Quote:

A 2008 study conducted by the European Network and Information Security Agency (ENISA) found that the most common infection methods used in the preceding years were browser exploits (65 percent), email attachments (13 percent), OS exploits (11 percent), and downloads (9 percent).

I'd like to find a more recent study so we can understand what the likelihood of a browser attack would be for the average user today. If anyone finds any I'd love to see it.

[Hungry Man]

I think they're putting Browser Plugins in with the "browser exploits" statistic.

I also think OS exploits have likely gone down as we've moved past XP.

[Baserk]

^true. As both articles mention, it's mostly about keeping the browser+plugins up to date.
'Another type of vulnerability that is commonly exploited is the targeting of browsers and their plugins (Flash, Java etc.)...The most common infection methods detected by S21sec include browser exploits (65%)...' link
It would help if Oracle can find it in it's heart to auto-update java like Flash now, then the whole browser package could auto update, current/coming browser sandboxing will lower the percentage even more.

[CloneRanger]

@ Ranget

@ BrandiCandi

I never said it hadn't happened, or couldn't happen, just that i had Never experienced ANY, even after years of trying all manner of www's that had been compromised in some way/s.

Thanks for the links etc

@ Hungry Man & Baserk

Yeah, my focus for this thread is NOT on Plugins etc, only browser exploits

[Hungry Man]

Quote:

even after years of trying all manner of www's that had been compromised in some way/s.

Naturally. If you had run into any you likely would have been further up to date though if I recall that's not your thing so perhaps some antiexecutable or NoScript type deal would have blocked it.

And, of course, with such easy targets as Java, Flash, Reader, there's not much reason to go for browser exploits, which are much harder to come by and patched very quickly.

[xxJackxx]

Quote:

Originally Posted by Hungry Man

...I also think OS exploits have likely gone down as we've moved past XP.

Absolutely. The only issue I even had with a browser was 6 years ago. Windows XP, IE6, NOD32. Was searching google, clicked on a link in the results, IE closed, NOD32 closed, IE opens back up with an extra toolbar and a Vundo infection.