Browser security report by Secunia

Discussion in 'other security issues & news' started by Arup, Apr 16, 2009.

Thread Status:
Not open for further replies.
  1. Arup

    Arup Guest

  2. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Opera. :D
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    Lol, 1 vulnerability less isn't even worth talking about. Firefox is getting scary, IE is showing the old arguments against it are dead or dying.
     
  4. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    In terms of number of security vulnerabilities, Firefox has been leading IE since 2006, I believe.

    Firefox was supposed to be the "safer" browser that everyone installed back then to prevent them from being infected via IE. It's kind of sad to see how much one of the main pillars that Firefox built its reputation on has crumbled away, even more so when so many of their users are still relying on news from 2005 and believe what they're using is safer.
     
  5. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Is not only about the vulnerability founded but also the time taked to fixe them... ;)
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    You sure are right about that:thumb: However, quick fixes or not, Firefox is quickly flipping the "most secure browser" claim on its head, imho.
     
  7. Arup

    Arup Guest

    Its not just about number of vulnerability but about who patches fastest, Opera has had the least number of vulnerabilities and have been the fastest to patch. Thats to their credit. Just like Ubuntu, Opera may not be the fastest or latest but in overall sense, it is the most secure and if one has been following Secunia, it rarely has unpatched critical flaws. The moment thats discovered, Opera patches it and patches fast.

    Mozilla foundation's claim was that their inherent design makes it secure over others, a claim that has now proved to be hollow in every sense.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Why hollow?

    How many people using FF got infected through their browser? 0.
    How many people keep getting infected using IE, no matter which version? > 0.

    Mrk
     
  9. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
  10. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Arup,

    You are a knowledgeable member. You have posted the thread https://www.wilderssecurity.com/showthread.php?t=236526&highlight=Arup in which the winning hacker in an interview said that Chrome was the hardest to hack (see https://www.wilderssecurity.com/showpost.php?p=1428411&postcount=9), also in another post a Standford University study is mentioned which states that Chrome will be less vlnarable to exploits (https://www.wilderssecurity.com/showpost.php?p=1341118&postcount=29).

    Another member posted this test, but http://nsslabs.com/anti-malware/browser-security, but I found that it was funded by Micorsoft: http://www.thetechherald.com/articl...e-NSS-Labs-report-touting-the-benefits-of-IE8

    It seems that 95% of the Wilders Members are in favour of FF, but you have to cripple it so much, it has just a little bit more functionality than a text based browser (I can't recall but according to Bellgamin the safest browser).

    Kees1958 his opinion seems to be that Chrome (or Iron/Chromium) is the safest browser available at the moment. I noticed that he was told to POQ (which is an insult when I look it up at the Dictionary) when he hinted to a FF fan to switch to Chrome when using Sandboxie.

    So here I am noting that a lot of undefended claims are stated at Wilders regarding the FF security, on the other hand I have a Hacker, Standford and a massive poster voting for Chrome and another very experienced security expert (Ilya of DefenseWall) and a experienced massive poster (you) voting for Opera.

    You are one of the few brave members who dare to state that FF lags behind for over a few years. Now you are saying that Opera is the safest, could you explain that a little better (I think because exploits are fixed very quickly). I also found a post of the programmer of DefenseWall who thought that Opera was the safest browser at the time of posting. So I am not questioning your statement, just asking for explantion.

    The previous post links to a blog which discusses an exploit. The exploit also summerises its succes against browsers (see pic), IE7 leads (nearly 5000 times succes, FF nearly 2000 succesfull exploited, Opera 200 times and Chrome 160). When you take the market share of IE into account http://en.wikipedia.org/wiki/Usage_share_of_web_browsers then the rating would be IE 75, FF 90, Chrome 122 and Opera 285) so that looks bad for FF, considering the fact that a study prooved that FF users are normally technical savvy and use a lot of security add ons.
    Thanks
    EDIT mistake


    EDIT: thanks for the PM, this clarifies a lot :thumb:
     

    Attached Files:

    Last edited: Apr 16, 2009
  11. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
  12. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    You have the numbers wrong btw. First column represents total hits, second column represent # of successful exploits.

    Also, please do not take that report as representative of browser security.
     
  13. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    No but you can influence it by agreeing on the study prerequisites, scope and hypothesis, before signing the funding. I am definitely not a Newby on that field of expertise.
     
    Last edited: Apr 16, 2009
  14. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    Sorry, I have corrected this, you are right. No, there are to many aspects. That is what I am trying to understand, but the outcome now makes sense to me. Just found it nice that you also dared to question the general believe at Wilders that FF is the best and stated it with a sample.

    Thanks
     
  15. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Don't worry, it just makes it all the easier for me if you already understand this. ;)

    Then that means the study is valid only within the specified scope of research, of course.

    As stated, the NSS Labs study tests the ability of browsers to blacklist social engineering sites that deliver malware, and from what I can tell, it would seem that IE8 had the best ability to do so.

    Whether this translates into IE8's security in general with all other factors was not tested, and cannot be determined via the methodologies and results of this study alone.
     
  16. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    The outcome is more or less congruent with other indicative fact finding. As questioned by me in that thread, the difference between IE7 and IE8 are striking. So some of the new features of IE8 (smart screen and XSS filter) must have contributed to the succes. IT-wise Chrome and IE8 have chosen different roads to security improvement. Marketing wise they both have an advantage (XSS, smart screens URL analysis versus Sandbox) , it just comes in handy that the biggest got better no need to worry, so customers stay in your seats please, Even then, I think the majority of the customers won't take the trouble of installing a different browser for technical or security superiority, so discussion on this topic will be limited to 25 percent of the Windows based PC users maximum.

    Thanks again
     
  17. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Come on !

    You can't really believe that !

    I presume you're not comparing FF on Linux vs. IE on Windows ? That's not a fair comparison.

    'How many people using FF got infected through their browser? 0.'
    There is no way you can back that up. Say, whay if a FF user is not using noscript plus that adblock thing, are they really safe from malicious scripts ? :rolleyes:
    Or what if they get (too many) dangerous add-ons for FF ?

    IE 7 can be reasonably safe if you don't fall for the concept of 'trusted zones' (I've never needed them), increase the security settings, and use software (AV or otherwise) that monitors (attempted) changes to IE, and if you generally know what you are doing.
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    I'm talking Windows, FF vs IE.

    Say, what if a FF user is not using noscript plus that adblock thing, are they really safe from malicious scripts?

    The answer is: yes.

    I'm waiting these last 3 years for one person to show me ONE example of a successful drive-by in Firefox (or Opera, for that matter).

    So far, EVERY single, EVERY single explout ever shown and demonstrated was on IE. In FF, you may get a prompt to download file, at best. Now, downloading files and executing them ... that's a different story altogether.

    But ONE example where you can actually do something malicious with FF. No one has shown me EVER.

    IE CAN BE SAFE. That's not in dispute. But we're talking default levels.

    Now, number of vulnerabilities means absolutely NOTHING. Why? Crude example: let's say a software X has 4 million local vulnerabilities, software Y has 1 remote. And which one do you think is more severe?

    I don't care if FF has 300 or 7 trillion reported bugs found, it means nothing. As long as problems are solved quickly, everything is fine. Vulnerabilities that are patched are no longer vulnerabilities, are they?

    Quick patch cycle, auto-update, you can't beat that.

    Just a reference, do you know how many software and system bugs I reported in the last 6-7 months that you won't read about anywhere? The numbers mean nothing.

    Once again, I IMPLORE, BEG and TEASE, one example of a drive-by in Firefox, I'll buy you icecream for a year. Hell, I'll buy an iPhone.

    Besides, it's innocent until proven guilty. Crying that FF is bad is ok. But show me example.

    Go to any HijackThis or spyware forum. Who do you think posts those logs and begs for help? FF users? Nope. IE users. With FF, you don't get drive-bys. What remains is pure deliberate user-initiated execution, but that equals suicide, for all that matters.

    I'm not a fanboy or anything. I believe Opera is the same in this regard. And so is K-meleon and many other browsers. None supports local scripting or activex. That's all. The entire magic.

    Mrk
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is certainly true for those that exploit a browser vulnerability.

    However, the script can trigger other actions that enable the running of an executable, as has been demonstrated with PDF and DOC file explolits, where the user is redirected, or in using Google, gets to a malicious web site with this code:

    Code:
    <head>
    <script>
    document.write('<iframe src="somefile"></iframe')
    </script>
    </head>
    
    where the document is loaded and opened.

    Using Opera in your example with scripting enabled, I set up a simple test with that code in an HTML file, using a MSWord document which opens and runs a macro to load a DLL which starts an instance of IExplorer:

    docIframe-1.gif

    You can emphasize not to use MSWord or remove IExplorer, configure the browser to prompt for ALL files, keep scripting disabled, use another PDF Reader, etc. But nonetheless, using your scenario of scripting enabled, a user not taking those precautions can be victimized, so that some protection to block the payload would seem to be in order:

    docIframe-2.gif

    Real DOC and PDF exploits embed or call out for a malicious executable.

    Many other ways exist to prevent executables from installing, of course, and I emphasize this because I don't think it's wise to consider the Browser impenetrable, because there are opportunites for exploitation if a user forgets to disable scripting, changes other settings, etc.

    Advanced users, probably not. But who knows?

    In this case, it is not an exploit of a Browser weakness, rather a script making use of a legitimate Browser function (i-frame in this case).

    REFERENCE

    Hosted javascript leading to .cn PDF malware
    http://isc.sans.org/diary.html?storyid=6178


    ----
    rich
     
    Last edited: Apr 17, 2009
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Thanks for the example. I would appreciate the script code.

    Still, please try this example:

    Place the html file on a server and then open it in the browser. And then try to open a file that resides on the server - as is the case in drive-bys.

    You will see that Opera / Firefox will prompt you for a download. You won't get the file opened, you'll get a prompt to open/save.

    I just did that and here are the results:


    no-driveby.jpg


    Iframes, javascript and whatnot.

    Cheers,
    Mrk
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I'll run the test from a server.

    I would bet that most users have their browser open documents directly.

    This is the HTML code:

    Code:
    <head>
    <script>
    document.write('<iframe src="hmmapi.doc"></iframe')
    </script>
    </head>
    

    dociframeWeb.gif


    Let's look at a current PDF exploit in the wild. I would venture to guess that most people use Acrobat Reader and make use of the Browser plugin.

    Here is the exploit code (redacted):

    Code:
    
    SCRIPT language="javascript">
            
    function PDF()
    {
    	for (var i=0;i<navigator.plugins.length;i++) 
    	var name = navigator.plugins[i].name;
    		if (name.indexOf("Adobe Acrobat") != -1) 
    		{location.href = "spl/pdf.pdf"
    }
    PDF()
    </script
     
    wepawet analysis of the PDF code:

    Code:
    Shellcode and Malware:
    
    ....d.d...2.d..d
    ...2d.d.*..-....
    ..http://XXXXXX.cn/XXXXXXXXXXX/exe.php
    
    ...
    
    MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
    
     
    This is a redirect from a legitimate site; the exploit runs upon connection to the malicious site:

    acro-operaAEblock.gif


    Now, no one I've helped would be hit by either of these exploits because I configure Opera to prompt for all file types, so that even in a remote code execution (drive-by) exploit, you get a prompt:


    docIframeWebPrompt.gif acro-operaPDFprompt.gif

    Of course, we know that standard procedure should be to have the Browser Prompt to download files: But do you think all users are aware of this? You do, and you advocate using Foxit Reader, but how many "Mr.and Mrs. Smiths next door" do?

    So that is my argument, that you cannot depend on the Browser to be impenetrable in the hands of everyone. There are just too many variables, too many settings, add-ons, ad nauseum.

    And so, in answer to your challenge:

    I give you two. Thanks for the offer of the rewards, but I'll decline since I prefer homemade ice cream, and have no use for an iPhone.


    ----
    rich
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Rmus, your example is valid provided the browser is set to open files automatically. But this is not the case, both for Firefox or Opera, by default.

    By default, both these browsers prompt for download. So you have to go one step further and make files open automatically, which is no different than executing them yourself.


    test2.png


    BTW, we agree on security. I don't count on the browser to do things. I count on this: double-click, it runs, no double-click, it does not run. As simple as that.

    I'll send you some ice-cream via email ... I hope it doesn't melt on the way.

    Cheers,
    Mrk
     
    Last edited: Apr 17, 2009
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    That may be for the latest version of Opera. I'll check that. I installed the older v8.5 on my laptop and PDF is configured to use the Plugin:

    acro-OperaPref.gif


    At first the exploit would not work because I normally have Plugins disabled:


    acro-operaPlugin.gif


    By the way - one other requirement was necessary for this particular PDF exploit to work: No outbound firewall monitoring. As the file opened, I got an alert:


    acro-kerio.gif


    I had to permit the connection for the download to attempt.


    Yes, it is simple. But I never assume anything with people. I'll wager that many people think the browser is supposed to "do things" without any input. I know that this is true with those I've seen who use IE.

    That's why it's necessary to get down in the trenches and help the clueless when we can and show them these things.

    I've never had a problem making people understand basics. Using screenshots is a big help: a visual image registers in memory better than just a list of "thou shalt nots." This is especially effective with the WinAntiVirus exploits where a fake scan may pop up.

    Thanks! Zip it using FreezerWrapZip.exe. I'll be waiting...


    ----
    rich
     
  24. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    A lot of tech talk ...

    I'll ask it in a simple way: is it possible for FireFox (let's exclude zero-day vulnerabilities for the browser) in its default configuration, to encounter on a website malicious javascript that downloads a trojan ?

    It's possible in IE. Would FF ask if you wanted to download or install the trojan ? o_O
     
  25. yeow

    yeow Registered Member

    Joined:
    Dec 11, 2006
    Posts:
    225
    With outdated Java Runtime Env (JRE) installed, I've the impression that Smitfraud may silently install with IE/FF/Opera. Not too sure, but I think so.
     
Loading...
Thread Status:
Not open for further replies.