Browser vulnerabilities and attacks will continue to mount

Security researchers maintain that attacks on browser vulnerabilities are only going to increase in volume and frequency, in particular during 2007.

According to experts at IBM's newly acquired ISS business unit, which is based in Atlanta, the continued emergence of the "exploits as a service" business, through which malware code writers market their attacks to cyber-criminals via underground channels, will only add fuel to the fire.

In another daunting development, roughly 50 percent of the browser attacks observed by ISS' X-Force research team during 2006 used encryption to hide themselves and the data they attempted to steal, with the group expecting use of such tactics only to grow during 2007.

"Attackers have honed into Web browser vulnerabilities because the amount of protection people have to defend against these types of threats is not as advanced for many end users," said Gunter Ollmann, director of security strategy at IBM ISS. "In addition to the underground communities where exploits are being bought and sold, it's also become much easier for attackers to build engines that sit on Web servers and generate personalized browser attacks."

Ollmann said that such threat engines are being armed with increasingly sophisticated levels of programming logic, giving them the capability to look at the specific version of a browser someone is using and launch attacks specifically aimed at the programs. Malware code writers are also sharing libraries of IP addresses known to be used by security researchers to help avoid detection of their latest work, Ollmann said.

Another breed of emerging attack attempts to insert itself between end-users' keyboards and browsing programs to steal data and circumvent the security tools being added to the programs.

The so-called "man-in-the-browser" threats have already been found lurking in high-value online transactional systems operated by financial services companies, where they seek to intercept valuable information as it entered by customers, said Dr. Chenxi Wang, analyst with Forrester Research.

The spiraling complexity of such threats serves as strong evidence that the battle between malware writers and browser makers is only beginning to heat up, and will continue for some time, the analyst said.

Wang believes that one answer to the security problem will be for browser makers to adopt more rigorous software development efforts to minimize vulnerabilities, but even those improved processes won't catch every flaw.

Microsoft's Security Development Lifecycle (SDL) program, for instance, appears to have lowered the number of vulnerabilities in its newest Internet Explorer 7 browser compared to earlier versions of the product, but the company has already been forced to patch at least one critical flaw in the software, which was released in Oct. 2006.

"This is going to be an arms race that is ongoing for the foreseeable future," Wang said. "There is no excuse for people on the defense side not to be more proactive with security and use better mechanisms during software development to protect against future attacks, but the attackers will always have some new approach as well."