The Web browser is the principal tool by which we all connect to the Internet to consume content. It’s also one of the principal tools that attackers use to get at your personal data and compromise your computer.
This helps explain a key trend with Web browser development and security features: virtual browsers.
For example, HP just announced its own virtual browser offering, developed with Mozilla in conjunction with its brainchild, Firefox.
Google recently lit up the market with its own Chrome beta that offers sandbox features for securing a user’s system from malicious code. Check Point’s Force Field software is offering security browsing features to customers that deploy virtualization.
Virtual browsers have been around for a while, but they’re getting a closer look as security progresses on the Web. One core argument for using virtual browsers is
that a virtual browser is inherently safer than a browser running natively.
Take the HP Firefox browser. It works by way of a virtualization layer from Symantec’s Alitiris division, which it calls Software Virtualization Services(SVS).
“SVS is software virtualization and it’s similar to Virtual Machine
“So anything that changes gets put in a box and doesn’t affect the underlying system. If anything goes wrong with it, it doesn’t have direct access to the operating system,” he said.
The idea of separating the browser from the underlying system is an approach used by a number of vendors to mitigate potential risk.
“A browser compromised by malware will not be able to manipulate the file system or registry if it is virtualized because it is not integrated with the rest of the system,” Kurt Roemer, chief security strategist at CitrixSystems, told InternetNews.com.
Citrix has been providing remote desktop solutions for a decade, and in recent years has moved squarely into the virtualization space with the acquisition of XenSource.
Roemer noted that Citrix, XenApp and XenDesktop solutions currently enable users to virtualize their browser. “By virtualizing applications, we can virtualize any style application, even browsers, and have been doing it for over 10 years,” Roemer said.
Roemer also noted that a virtualized browser also offers greater consistency by enabling better version control and control over the patch process. This helps corporate IT departments be aware of the state of the browser running on all systems company-wide.
While Citrix offers one approach to virtualization, another is the one utilized by Check Point’s Force Field software. With Force Field, there is a virtualization layer between the browser and the operating system that shields one from the other. Check Point has also layered in anti-phishing and anti-spyware, and key logger jamming as part of the solution.
VMware also has a VirtualBrowser appliance based on its VMware Player technology, but it does not include integrated layered security. VMware was not available for comment by press time.
From Check Point’s perspective, the move toward browser virtualization by HP and, Google sandboxing is a sign of the times.
“This announcement from HP, as well as Google’s beta of Chrome, all emphasize the need for Web browser security and the value of using virtualization for Web browsers,” John Gable, director of product marketing for Check Point’s ZoneAlarm consumer division, told InternetNews.com.
Gable argued that ZoneAlarm ForceField also provides a level of security not included in Chrome or described in the HP announcement.
“Any browser, running natively or otherwise, is vulnerable to browser exploits that by-pass its defenses to attack the PC and access user information,” Gable said.
“In addition to creating a virtualized browser session, ZoneAlarm ForceField also combines active security layers to provide users protection against phishing attacks
Google’s new
Chrome browser isn’t creating a purely virtual Web browser, but it is creating a sandbox approach that is intended to protect users. The sandbox isolates browser processes and limits privileges in order to limit the scope of any potential risk spreading outside of a particular browser tab.
Google admits, however, that the sandbox approach alone isn’t enough to protect against all threats.
“Running a browser in an isolated, virtualized environment helps protect the system and local data from some security threats, but there are many security risks — such as phishing or cross-site scripting– that aren’t addressed,” a Google spokesperson said in an e-mail to InternetNews.com.
“Google Chrome’s sandbox helps protect you from exploits that may arise from processing untrusted
HTML and Javascript
At a deeper level though, there may be other simpler ways than sandboxing or virtualizing the browser in order to help protect users.
Ryan Barnett, director of application security at Breach Security, explained to InternetNews.com that the biggest problem with users surfing the Web with native browsers is that the user normally runs as Administrator. As a result, any malware that is able to exploit the browser runs with that level of privilege.
“Even if no other virtual/sandbox application was used, much of the browser exploits that attempt to download malware would not work if only the end-user logged onto the computer as a normal user.”