What is your browser security approach these days?

Discussion in 'other anti-malware software' started by Kernelwars, Apr 22, 2011.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    I've always liked to keep things simple, as my browser security approach shows in Post #2.

    At the same time, I'm looking for web sites with exploits that might get past that setup, so I'm wondering if anyone has something special you've seen recently.

    I looked today at the malware domain lists, and one prominent list has almost all rogue AV exploits in the first several hundred sites listed. I looked at a typical one.

    It is a common redirection exploit, where a site has been compromised to redirect the potential victim to another site with the exploit code.

    I went there with IE8 with scripting and plugins enabled for testing:

    rogue_ie.gif

    So, what triggers the fake scan and dire warning? Just simple Javascript that retrieves some JS files from the malicious site:

    rogue_codeIE.gif

    If I go there in Opera with javascript enabled (White listed) only for my regularly visited sites, then,
    even if redirected from a White Listed site, scripting will not be enabled on the redirected site
    and the exploit fails because the JS files cannot be retrieved, and I see just a blank web page.

    This is nothing really new, of course. As far back as 2008 this trick has been done. See:


    http://urs2.net/rsj/computing/tests/winantivir


    Is anyone aware of a Rogue AV exploit that doesn't start via javascript?

    Another common web-based attack exploits Java vulnerabilities. Usually, a malicious JAR file is cached
    that has exploit code to download a malicious executable.
    Here is one from last month:

    [​IMG]

    Naturally, if Java is used on a system, one would keep it updated, but this vulnerability was being exploited before an update was available.

    Here is Microsoft's explanation of how one exploit works:

    Exploit:Java/CVE-2010-0840.W
    http://www.microsoft.com/security/p.../Entry.aspx?Name=Exploit:Java/CVE-2010-0840.W
    A sure preventative measure is to keep Java disabled except when needed.
    This has been true for many years, so this is not a new exploit at all.

    PDF exploits are still around, although Adobe's Reader is becoming more difficult to exploit.
    Web-based exploits require the PDF Plugin to be enabled so that the PDF file will load automatically into the browser window,
    allowing the malicious code either to extract an embedded malicious executable, or download one from some site:

    pdf_ie.gif

    If I have configured all file types to prompt for a download, the trick will not work, and I will just Cancel the download,
    knowing that I didn't go looking for this file:

    pdf_opera.gif

    The alert reader will note that these are not browser exploits. Rather, the browser is just the trigger for code that exploits various plugins and javascript designed for implementation in the browser.

    People like the Plugins, especially in businesses, where a user may read many PDFs on line daily, and loading into the browser window is a bit faster. Yet, that opens the door for the remote code execution exploit.

    A common complaint against White Listing javascript is that many sites don't work without it. So, if a user clicks on a search link to go to a site that requires javascript, an extra step is then needed.

    I suppose it's a trade off, as are many things in life.

    Are there other web-based exploits in the wild you know of that I can check out (URL needed)?

    Thanks,

    -rich
     
    Last edited: Apr 30, 2011
  2. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    I use Linux
     
  3. IBadget

    IBadget Registered Member

    Joined:
    Jan 14, 2009
    Posts:
    59
    Location:
    Waipahu, HI
    I use NoScript for Firefox and NotScripts for Google Chrome.
     
  4. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    anyone here using safer chrome here?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome + host file + javascript whitelist

    Nothing else to harden, really.
     
  6. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    I do understand what you are saying but what about the mixed content... I had a nightmare about that thing today couldnt sleep:(
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Mixed content? Like if a legit site has an infected ad?

    XSS auditor + sandbox works just fine.
     
  8. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    check this one out.. screenshot from today..allthough there was a lot of discussion about this..but still :(
     

    Attached Files:

  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    errr what exactly is that?
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Firefox w/ NoScript, ABP, WOT, Ghostery, RefControl, OptimizeGoogle, BetterPrivacy, Flashblock, Greasemonkey, Keyscrambler. Private browsing mode, sandboxed, all downloaded data sent to dedicated partition.
     
  11. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    its mixed content..it is showing that the application that is monitoring my keystrokes in the site is ready to bite me real bad.. lol captured the username and password i typed..
     
  12. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    I just keep it simple. Firefox with Noscript, Adblock and Dr Web link scanner. If i'm visiting seedier areas of the web i'll run firefox inside sandboxie.
     
  13. clayieee

    clayieee Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    260
    i use cocoon on firefox
     
  14. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    yea but what about folks who are using chrome.. folks like me:( any good extension out there?
     
  15. Matthijs5nl

    Matthijs5nl Guest

    I am surprised your browser still launches :D.
     
  16. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    that was a good one..:) :D
     
  17. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    +1. :thumb: :D :D :D
     
  18. ReverseGear

    ReverseGear Guest

    My ff launches with more than 20 addons ;)
     
  19. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    i use icalcs tweaks to set Firefox at Low Integrity level.
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes. What kind are you looking for? I assume security based extensions?
     
  21. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    It's nothing compared to a fanatic. NoScript and FlashBlock are redundant though.

    @Kernelwars: Does it still work if you block javascript? I believe Chrome has a built-in whitelist manager, and there's NotScripts for finer control as well.
     
  22. jaodsvuda

    jaodsvuda Registered Member

    Joined:
    Feb 27, 2011
    Posts:
    160
    You Firefox guys and your add-ons...Your browser will soon need its own partition...

    You may laugh (I know it´s not the favourite browser ´round here) ,but sandboxed Opera works for me...or it has enough problems of its own,so "bad guys" just let it pass by...
     
    Last edited: May 23, 2011
  23. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    it doesnt work work if i block javascript... so just block the javascript and optin for click-to-play?
     
  24. Kernelwars

    Kernelwars Registered Member

    Joined:
    Aug 12, 2010
    Posts:
    2,155
    Location:
    TX
    yes indeed my good friend:)
     
  25. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Not redundant at all. If there are several flash objects on the same page NoScript allows the possibility of flash, and then I can pick & choose which one(s) I actually want to run.

    And my browser launches just fine. In fact it's snappy. Of course I don't have a hundred other apps competing for resources either. As I type now I have 19 processes currently running. That certainly helps my browser launch in a timely fashion.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.