Aurora and Web Browser Security
- 25 Jan 2010
Germany’s BSI (Federal Office for Information Security) recently warned web users not to use Microsoft Internet Explorer. The BSI advised users to switch to an alternative browser in the mean time until a patch was made available. Shortly after this release France’s Certa agency also issued a similar warning to users.
What is the implication of these statements? It would seem like an 0day for an “alternative browser” has just substantially increased in value.
But even though these alternate browsers might be safer to use given the current threat, are they actually more secure? To reach a conclusion about whether this is actually the case it is necessary to look at the actual risk of successful exploitation, assuming such 0day exists somewhere. This assumes that entities or groups with sophisticated skills who are capable of writing exploits while sleeping and by-passing DEP at breakfast also exist (which is a fair assumption).
On a current Windows 7 system with fully updated browsers the following situation currently exists:
| IE 8.0.7600.16385 | Firefox 3.6 | Opera 10.10 | Safari 4.0.4 | Chrome 3.0.195.38 | |
|---|---|---|---|---|---|
| DEP | Enabled | Enabled | Enabled | Enabled | Enabled |
| ASLR | No DLL without ASLR in default process | Not properly used e.g. nspr4.dll | Not properly used e.g. opera.exe | Not properly used e.g. dnssd.dll | Not properly used e.g. icudt38.dll |
We tested the default up-to-date installation of each browser in the table above on the Windows 7 Operating System. It should be noted that these results will vary substantially on different operating system versions. The actual ease of exploitation for these targets depends on a number of factors, for example, sandboxing techniques such as the Google Chrome Sandbox or IE 8’s protected mode. Also, other weaknesses may allow DEP/ASLR to be bypassed such as the now patched Dowd/Sotirov technique. For the purposes of this assessment a measurement about the effectiveness of ASLR was obtained by observing the addresses of executable modules loaded in the default process.
Aside from the effort needed to produce a reliable exploit, another important factor in the risk exposed by the use of a particular browser is its market share. Internet Explorer is still is in the (un)fortunate situation of being the market leader, which makes it a juicy target for the bad guys.
In order to make web browsing safer, effective OS exploitation mitigations techniques and a fully updated browser are essential. Make sure you apply the Internet Explorer patch which was released on Thursday.
Update:
As of the 31th March 2010 the following updated browser versions still do not opt-in to ASLR properly:
Firefox 3.6.2, Chrome 4.1.249.1045 (42898) (now icudt42.dll), Opera 10.51 and Apple 4.0.5 (AppleVersions.dll).
The recent changes to Safari are notable, as AppleVersions.dll is the only binary left not opting-in to ASLR, hopefuly this will be fixed in the next release. We will continue monitoring the status of the browsers on a regular basis.