Beware of Browser-based Attacks

By Sean Michael Kerner

Browser-based attacks are increasing and “may pose the next significant security threat to IT operations,” a new survey from the Computing Technology Industry Association (CompTIA) warns.

“It’s an ongoing spy-versus-spy problem,” Randall Palm, director of IT services for CompTIA, told “The better we get at stopping one attack, the better they get at exploiting other vulnerabilities.”

Of 900 organizations surveyed, 36.8 percent said they were victimized by one or more browser-based attack, up from 25 percent last year.

A browser-based attack is essentially malicious code contained within a Web page that appears harmless. The attacker uses the browser and user systems permissions to sabotage or disrupt computer functions.

A number of browser-based vulnerabilities have been exposed, many of them affecting Microsoft’s Internet Explorer. Just last week, CERT flagged a yet-unpatched flaw that makes use of Compiled Help Files (CHM).

In February, a Frame Exploit was discovered that grabs keystrokes. Microsoft last patched Internet Explorer in February against the URL spoofing exploit.

Ken Dunham, director of malicious code at iDefense, was not surprised by CompTIA’s finding; his firm has also noted a dramatic increase in malicious code delivered via Web browsers.

“This should not be a surprise to anyone in the computer security world, but may surprise some home users,” Dunham said. “With the number of successful exploits against various IE vulnerabilities in recent months it’s a huge problem.”

Even with a patched and security-hardened system, a user could be successfully attacked by a new threat, he said. For example, ‘Ibiza.A’ beat virus and patch updates.

The CompTIA survey showed that virus and worm attacks remain the biggest security threat. However, the number of organizations that identified them as their most common security threat dropped by 11.4 percent to 68.6 percent.

Contrary to the CompTIA’s survey findings, other statistics show growing virus and worm activity, including March numbers from enterprise spam filtering company Postini.

Approximately 61.2 million messages out of 4.6 billion processed by Postini had viruses, up 6 percent from the previous month. The 9th Annual ICSA Labs Virus Prevalence Survey showed an increase in the number of virus attacks, though the number of infections has remained steady.

The CompTIA survey also shows a decrease in network intrusion as a threat, dropping to 25.2 percent from 39.9 percent.

The standard IT security troika of antivirus, firewall and proxy servers were the top three defenses, CompTIA found. The pervasiveness of antivirus applications was confirmed by the survey showing that 95.5 percent of respondents use the technology. Firewall and proxy servers were used by 90.8 percent of respondents down 2.9 percent from last year.

Rounding out IT security technologies are security audits and penetration testing at 61 percent, system baselines at 51.4 percent and change control tracking at 44.3 percent.

The best tool for tightening security may well be users themselves. CompTIA’s survey showed 84 percent of organizations blamed human error (in part, or in full) for their last major breach, up from 63 percent last year.

“Security and human capital, more so than security and technology, should be given the highest priority by all organizations,” Palm said. “Human actions and knowledge are key to securing networks.”

News Around the Web