Some scripting languages can now smuggle attacks past your traditional defences, warns Gunter Ollmann.
In recent years, there has been a marked shift in the number of attacks centred on the compromise of the desktop through web browser vulnerabilities.
These attacks typically rely on the user navigating to a website or, more often, a specially constructed web page that has been designed to exploit a vulnerability within the web browser or any plug-ins it may have installed.
Web browser vulnerabilities have been increasing each year and, due to the browser's relative sophistication and tight integration with other applications, are likely to become more important as a source of system compromise.
We have already observed various zero-day vulnerabilities in Microsoft's Internet Explorer and Mozilla's Firefox in the past few months. Also, vulnerabilities in plug-ins such as Apple's QuickTime and RealNetworks' RealPlayer are easily exploitable via the browser using code embedded within the page's HTML.
In most cases, they have been discovered with the help of fuzzers, which use an automatic trial and error method of changing variables within the HTML page until they identify a bug that causes the browser or plug-in to misbehave. The advantage is that they require only marginal development skills and, once a vulnerability is spotted, you already have the proof-of-concept exploit code.
Since exploitation of the vulnerabilities is quite easy, the most difficult problem for the attacker is persuading users to browse to their infected web page. The traditional vectors such as spam emails and seeded URLs in popular web forums continue to fool many people, but the attackers are getting more ingenious when it comes to where they place exploit code and which exploit they choose to use.
One trend has been to embed multiple exploits in a single scripted web page, which automatically identifies the web browser being used and cycles through all the exploits until it finds one that works. It then installs a bot or piece of spyware. Some of these pages contain more than 20 different exploits.
There is also a move towards using HTML page content automatically embedded in lots of websites, such as web banners and page hit counters. To protect against these vulnerabilities, most defence mechanisms have focused on regular expression matching to identify any exploit code embedded within the HTML page. In fact, the majority of traditional anti-virus signature-based engines have managed to stop well-known exploit material when it propagates around the web – assuming that users keep it up to date.
Unfortunately, the latest advances in web browser attacks include the adoption of scripting languages to purposefully obfuscate the attack in order to bypass these traditional defences. In these cases, the attacker takes the exploit code and encodes it in such a way that it is only after the web browser has executed an embedded script that the real exploit is dynamically built and executed to compromise the host. In this way, the attacker can use a near infinite number of permutations for encoding, and thereby obfuscating, their attack, easily bypassing signature engines.
To defeat these obfuscated attacks, more sophisticated defence technologies must exist on the host itself. Core defence technologies include those that provide a true virtualisation of the scripting language (so the code can be executed in a “safe” environment to monitor its behaviour); heuristics engines capable of identifying shellcode or probable binary content embedded within an HTML page (so the exploit payload can be identified); and, as a last resort, memory monitoring applications capable of identifying and stopping any buffer overflow exploits that might be in progress.
Given the frequency at which web browser or plug-in vulnerabilities are being discovered, and the relative ease in which it is possible to exploit or obfuscate them, it is unlikely that exploitation will decrease anytime soon.
If you are ever likely to browse dodgy or even mildly suspicious websites, now is a good time to double-check your host-based defences.