Web browsers face crisis of security confidence

[InfoSec News <alerts () infosecnews org>]

http://www.theregister.co.uk/2008/06/23/marginal_browser_security_protections/

By Dan Goodin in San Francisco 
The Register
23rd June 2008

User beware. Today's web browsers offer more security protections than 
ever, but according to security experts, they do little to protect 
people surfing the net from some the web's oldest and most crippling 
threats.

Like nuclear stockpiles during the Cold War, new safety features amassed 
in Firefox, Internet Explorer and Opera are part of an arms-race 
mentality that leaves online criminal gangs plenty of room to launch 
attacks. What's more, the new protections often take years to be 
implemented and months to circumvent. Meanwhile, shortcomings that have 
bedeviled all browsers since the advent of the World Wide Web go 
unaddressed.

Earlier this week, Mozilla patted itself on the back for adding a 
security feature to Version 3 of Firefox that's of only marginal benefit 
its users. It prevents users from accessing a list of websites known by 
Google, and possibly others, to be spreading malware. Opera Software, in 
a move its CEO proclaimed "is reinventing Web-based threat detection," 
added a similar feature to version 9.5 of its browser released two weeks 
ago, and Microsoft engineers are building malware blocking into IE 8.

Here's the rub: According to our tests over the past week, the Firefox 
anti-malware feature frequently failed to block sites compromised by one 
of the most prevalent SQL injection exploits menacing the web. Outcomes 
varied from minute to minute, but clicking on results returned from 
searches such as this and this (we strongly recommend you don't try this 
at home) led us to dozens of compromised websites even with Firefox's 
gee-whiz malware protection feature turned on.

Firefox 3 does block nihao11.com and the half-dozen or so other domain 
names that are referenced in the injection attack, so there is some 
benefit to the feature. But its inability to flag a huge number of 
websites that have been compromised shows the limits to such an 
approach. Similarly, researchers from Websense report here that they 
"found multiple phishing pages that still made it through" anti-phishing 
mechanisms that have existed for more than a year in Firefox. Because 
they're based on static blacklists based on behavior reported weeks or 
months earlier, these features often fail to detect quick-moving 
threats.

"These little anti-phishing things and anti-malware things, I'm not 
buying them," says Jeremiah Grossman, CTO of web application security 
firm WhiteHat Security. "Are we less likely to get hacked as a result of 
these features? No. If I was really the evil guy, I'll send you to a 
hacked up blog page with Firefox 3 and you won't have a good day."

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com