 |
|
|
|||||
| FAQ | Search | Articles | Register | Log in |
Dec 25, 2008
Biggest Web Browser Vulnerabilities and Threats
by GlueTooth / General
Exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems. They do that in order to take control over your computer, to steal your private information, use your computer to attack other computers, or to destroy your files and even your computer. Some of these attacks are performed by exploiting vulnerabilities in web browsers. Potential Risks There is an increasing threat from software attacks that take advantage of vulnerable web browsers no matter how up to date they are. This problem is made worse by a number of factors, including the following:
As a result of mentioned, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computers. Risky Web Browser Features Another problem are web browser features that could be used by attackers. Vendors usually enable web browsers' features by default to improve performances, but these features may end up increasing the risk to the computer. Some specific web browser features are potentially risky. The most important are listed below to help you protect from security threats. ActiveX This is a technology used by Microsoft Internet Explorer on Microsoft Windows systems. ActiveX allows applications or parts of applications to be utilized by web browser. A web page can use ActiveX components that may already reside on a Windows system, or a site may provide the component as a downloadable object. This gives extra functionality to browsing, but also introduces more vulnerabilities if not properly implemented. ActiveX has been plagued with various vulnerabilities and implementation issues. Using ActiveX in a web browser makes whole system prone to attacks. Installing any Windows application introduces the possibility of new ActiveX controls being installed. Vulnerabilities in ActiveX objects may be exploited via Internet Explorer, even if the object was never designed to be used in a web browser. Java Java is an object-oriented programming language used to develop active content for web sites. Java applets or codes usually execute within a “sandbox” where the interaction with the rest of the system is limited. However, various implementations of the Java Virtual Machine contain vulnerabilities that allow an applet to bypass these restrictions. Signed Java applets can also bypass sandbox restrictions, but they generally prompt the user before they can execute. * In the link provided below you can find out more about Java security Plug-ins Plug-in is application intended for use in the web browser. Netscape has developed the NPAPI standard for developing plug-ins, but this standard is now used by other web browsers, including Firefox and Safari. Plug-ins are similar to ActiveX controls but they cannot be executed outside of a web browser. Adobe Flash is an example of an application that is available as a plug-in. Plug-ins can contain programming and design flaws such as buffer overflows and cross-domain violations. Cookies  Cookies are files placed on the system to store data for specific web sites. Cookies can contain any information from a web site. They may contain information about the sites you visited, or may even contain credentials for accessing the site. Cookies are designed to be readable only by the web site that created the cookie. Cookies are cleared when the browser is closed (session cookies), or can remain on the computer until the specified expiration date is reached (persistent). Cookies can be used to identify visitors of a web site, which can be considered a violation of privacy. Attackers may be able to acquire unauthorized access to the site that uses cookies for authentication by simple obtaining the cookie. Persistent cookies pose a higher risk than session cookies because they remain on the computer longer. Scripts Scripts or scripting languages such as JavaScript or VBScript are used to make web sites more interactive. VBScript is similar to JavaScript, but it is made for Internet Explorer and it has limited compatibility with other browsers. The ability to run a scripting language allows web page authors to add a significant amount of features and interactivity to a web page. However, this capability can be abused by attackers. The default configuration for most web browsers enables scripting support, which can introduce multiple vulnerabilities. Some of them are:
Vulnerabilities that violate these security models can be used to perform actions that a site could not normally perform. The impact of this can be similar to a cross-site scripting vulnerability.
This was a brief review of potential risks and vulnerabilities in web browsers that could be exploited by attackers. Later articles will explain how to secure some of the most popular web browsers and protect yourself from potential attacks.
|
|||||||
|
Links |
COMMENTS
Readers posted 0 comments for this article
