Life’s Not Easy When You’re A Web Browser

Web browsers have been having a real torrid time of late, it seems the only people showing them any great attention these days are those looking for new 0-day vulnerabilities. Two weeks ago we blogged about the Microsoft Video Streaming ActiveX control vulnerability (Microsoft Windows ‘MPEG2TuneRequest’ ActiveX Control Remote Code Execution Vulnerability – BID 35558) that can be exploited through mostly the older but still widely used versions of Internet Explorer 6 and 7. That vulnerability was quite widely used by malware in the attack involving a Trojan named Downloader.Fostrem. The Trojan In turn downloads various other bits and pieces of malware that we detected as Backdoor.Trojan and Trojan.Dropper.

Just as the first vulnerability began to die down, another new vulnerability surfaced (Microsoft Office Web Components ActiveX Control ‘msDataSourceObject’ Code Execution Vulnerability – BID 35642) which isn’t specifically caused by the browser but is once again triggered using a browser. The exploit happens when a user visits a malicious Web site that is hosting JavaScript code that uses the Microsoft Office Web Components. Code on the web site may cause vulnerable computers to execute the exploit which may lead to a full compromise of the user’s computer. According to reports there were some attacks taking place mostly from Asian Web sites, Symantec has detection for this attack as Bloodhound.Exploit.263.

Before you begin to think that because you use Firefox, you are safe from malware, I have some bad news for you. Just a couple of days ago we saw reports of a new un-patched vulnerability (Mozilla Firefox 3.5 ‘Tracemonkey’ Component Remote Code Execution Vulnerability – BID 35660) affecting the most recent version (3.5) of the Firefox browser. Exploitation using this vulnerability can lead to remote code execution and subsequent “owning” of the user’s computer. The exploit works quite well and has the potential to cause problems for the general Web surfing public but there is a quick and easy work around which is described here, the drawback from this work around is impaired JavaScript performance but this is a price worth paying for safety sake. In response to this, Symantec has created detection for malware using this vulnerability as Bloodhound.Exploit.264.

As you can see, there’s been quite a few browser based exploit attacks in the past two weeks but that’s not the end of it. Today we received reports of yet another un-patched browser vulnerability affecting Firefox 3.5, (Mozilla Firefox 3.5 Unicode Data Remote Stack Buffer Overflow Vulnerability – BID 35707). This vulnerability was once again uncovered by the same people who brought us the previous Firefox vulnerability. This vulnerability uses a very long Unicode string to cause a stack overflow which may then potentially allow for code execution and failing that crashing or freezing of the browser. As this vulnerability is as yet unpatched, users are advised to use caution when browsing the Web. Steps that users can take to mitigate the risk include turning off JavaScript or using a tools such as NoScript to limit/control the functionality and use of JavaScript.

The common theme amongst all these vulnerabilities is that the repertoire of the Web attacker is ever expanding, when combined with SQL injection into massive numbers of Web sites, this allows for massive and successful propagation of malware by way of drive-by downloads. In this day and age, the old advice of avoiding certain types of Web site and content on the Internet is no longer enough when even trusted sites have been known to be compromised in the past. Making sure your Web browser and other applications are fully patched, your Antivirus and Firewall software are running and up to date with the latest definitions sets and using a bit of street smarts should go a long way towards keeping you out of harm’s way. And who knows, maybe next month the browsers might just get a break from all this unwanted attention, but then again, who can tell what might happen next.
Ref: www.symantec.com