What is your browser security approach these days?

I've always liked to keep things simple, as my browser security approach shows in Post #2.

At the same time, I'm looking for web sites with exploits that might get past that setup, so I'm wondering if anyone has something special you've seen recently.

I looked today at the malware domain lists, and one prominent list has almost all rogue AV exploits in the first several hundred sites listed. I looked at a typical one.

It is a common redirection exploit, where a site has been compromised to redirect the potential victim to another site with the exploit code.

I went there with IE8 with scripting and plugins enabled for testing:



So, what triggers the fake scan and dire warning? Just simple Javascript that retrieves some JS files from the malicious site:



If I go there in Opera with javascript enabled (White listed) only for my regularly visited sites, then,
even if redirected from a White Listed site, scripting will not be enabled on the redirected site
and the exploit fails because the JS files cannot be retrieved, and I see just a blank web page.

This is nothing really new, of course. As far back as 2008 this trick has been done. See:


http://urs2.net/rsj/computing/tests/winantivir


Is anyone aware of a Rogue AV exploit that doesn't start via javascript?

Another common web-based attack exploits Java vulnerabilities. Usually, a malicious JAR file is cached
that has exploit code to download a malicious executable.
Here is one from last month:



Naturally, if Java is used on a system, one would keep it updated, but this vulnerability was being exploited before an update was available.

Here is Microsoft's explanation of how one exploit works:

Exploit:Java/CVE-2010-0840.W
http://www.microsoft.com/security/p.../Entry.aspx?Name=Exploit:Java/CVE-2010-0840.W

A sure preventative measure is to keep Java disabled except when needed.
This has been true for many years, so this is not a new exploit at all.

PDF exploits are still around, although Adobe's Reader is becoming more difficult to exploit.
Web-based exploits require the PDF Plugin to be enabled so that the PDF file will load automatically into the browser window,
allowing the malicious code either to extract an embedded malicious executable, or download one from some site:



If I have configured all file types to prompt for a download, the trick will not work, and I will just Cancel the download,
knowing that I didn't go looking for this file:



The alert reader will note that these are not browser exploits. Rather, the browser is just the trigger for code that exploits various plugins and javascript designed for implementation in the browser.

People like the Plugins, especially in businesses, where a user may read many PDFs on line daily, and loading into the browser window is a bit faster. Yet, that opens the door for the remote code execution exploit.

A common complaint against White Listing javascript is that many sites don't work without it. So, if a user clicks on a search link to go to a site that requires javascript, an extra step is then needed.

I suppose it's a trade off, as are many things in life.

Are there other web-based exploits in the wild you know of that I can check out (URL needed)?

Thanks,

-rich

 

I use Linux

 

I use NoScript for Firefox and NotScripts for Google Chrome.

 

anyone here using safer chrome here?

 

Chrome + host file + javascript whitelist

Nothing else to harden, really.

 

I do understand what you are saying but what about the mixed content... I had a nightmare about that thing today couldnt sleep

 

Mixed content? Like if a legit site has an infected ad?

XSS auditor + sandbox works just fine.

 

check this one out.. screenshot from today..allthough there was a lot of discussion about this..but still

 

errr what exactly is that?

 

Firefox w/ NoScript, ABP, WOT, Ghostery, RefControl, OptimizeGoogle, BetterPrivacy, Flashblock, Greasemonkey, Keyscrambler. Private browsing mode, sandboxed, all downloaded data sent to dedicated partition.

 

its mixed content..it is showing that the application that is monitoring my keystrokes in the site is ready to bite me real bad.. lol captured the username and password i typed..

 

I just keep it simple. Firefox with Noscript, Adblock and Dr Web link scanner. If i'm visiting seedier areas of the web i'll run firefox inside sandboxie.

 

i use cocoon on firefox

 

yea but what about folks who are using chrome.. folks like me any good extension out there?

 

I am surprised your browser still launches .

 

that was a good one..

 

+1.

 

My ff launches with more than 20 addons

 

i use icalcs tweaks to set Firefox at Low Integrity level.

 

Yes. What kind are you looking for? I assume security based extensions?

 

It's nothing compared to a fanatic. NoScript and FlashBlock are redundant though.

@Kernelwars: Does it still work if you block javascript? I believe Chrome has a built-in whitelist manager, and there's NotScripts for finer control as well.

 

You Firefox guys and your add-ons...Your browser will soon need its own partition...

You may laugh (I know it´s not the favourite browser ´round here) ,but sandboxed Opera works for me...or it has enough problems of its own,so "bad guys" just let it pass by...

 

it doesnt work work if i block javascript... so just block the javascript and optin for click-to-play?

 

yes indeed my good friend

 

Not redundant at all. If there are several flash objects on the same page NoScript allows the possibility of flash, and then I can pick & choose which one(s) I actually want to run.

And my browser launches just fine. In fact it's snappy. Of course I don't have a hundred other apps competing for resources either. As I type now I have 19 processes currently running. That certainly helps my browser launch in a timely fashion.