SearchMidmarketSecurity.com reader: Beyond patching, how can I avoid attacks that take place via a Web browser vulnerability?
Tom Chmielarski, resident security expert: A theme I find myself repeating is that security depends on layers -- be they technical or procedural -- as there is no single cure-all.
That includes patching, so what else can you do? Excellent question!
First, make sure you use the most recent major release of your browser of choice. This will help ensure you have all available security features beyond what are available in incremental patches. The use of phishing filters can also improve security by reducing the chances that one of your users will visit a malicious clone of a legitimate site.
All major browsers allow plugins to extend functionality; these plugins (a .pdf or Flash viewer, for example) can introduce vulnerabilities or can be malicious in nature. You should verify that all of the installed plugins are present, are still needed, and have been updated. Firefox, for example, provides a Plugin Check.
One layer of protection comes from not running an application with administrative privileges, unless that application really needs such access. A Web browser, however, does not need administrative access. If the user account has admin rights, then every application being run has those permissions and can change the operating system.
Using an account without administrative privileges prevents many Trojans and application exploits from fully executing. If you don't have permission from the operating system to modify a registry key, an application launched surreptitiously will face similar restrictions.
Yet, as a matter of convenience, end users frequently have administrative access. Even if an administrative account is available, usually to invoke as needed for intended changes (which may be hazardous, too), the number of accidental compromises is likely to decrease.
Next, consider host-based intrusion detection systems that will monitor Web traffic to identify and, hopefully stop, malicious actions. Many endpoint protection products have some capability in this area, but the effectiveness varies greatly between vendors. Access to a malicious website might cause your browser to download and execute a script or an executable. Your antivirus product should assist here, identifying and blocking those threats.
To combat a Web browser vulnerability, you should also consider which browser to use. Internet Explorer may be compatible with legacy applications that don't play well with other browsers, but it also tends to have far more vulnerabilities, and more known unpatched vulnerabilities, than others. You may want to research the vulnerability comparisons between the major browsers.
To help ensure that your most sensitive Web accesses are secure, you can use a dedicated Web browser for those activities. As an example, if you only use Chrome for banking, it is less likely that malware has attached itself to the browser via a plug-in or other means.
Lastly, you can use a virtual machine (VM) or a bootable CD (such as Ubuntu or UBCD4Win) to start with a known good OS and browser. That OS and browser may be out-of-date, and thus vulnerable, but the time to exploit them is limited to that usage session. Because any compromise of the browser or operating system will not persist to the next use, this option works well for ensuring your experience is secure (say, for a bank transaction) or to limit the risk from websites that are likely to contain malware.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send Tom your security questions.
Join us on LinkedIn.
This was first published in July 2010