9.1 Browser-Based Exploits

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Slots : 1
Table of Contents
Chapter 9.  Internet Browser Attacks

9.1 Browser-Based Exploits

Microsoft reported a hundred vulnerabilities against their products in 2000 alone, most involving Internet Explorer. To Microsoft's credit, they maintain a nice security web site and publish security bulletins (see Figure 9-1) to warn end users. Microsoft's security web site and bulletins can be found at http://www.microsoft.com/security.

Figure 9-1. Example Microsoft security bulletin
figs/mmc_0901.gif

For the most part, these holes have been closed, or will be closed by the time you read this book. The problem is that security holes keep being discovered at an alarming rate and not with less frequency. Learning about some of the past holes will teach you about what to expect in the future. Having followed Internet browser security since its inception, I can tell you many exploits will be back in some altered form. Chapter 9 does not discuss Java or ActiveX exploits, which are covered in future chapters.

Many exploits are available with little or no program coding. For example, some supposedly protected web sites can be accessed by simple manipulation of the browser. For example, the online banking site, Barclays , contained a web page that failed to make the user log back in once they logged out. At a shared terminal, this would mean that someone could go up to the browser, hit the Back button, and have immediate access to the web site and someone else's account. Microsoft's super popular web email site, Hotmail, contained a similar bug. Clearing the browser cache of secure pages is important on shared computers.

Hacking without coding is more of an exception. Most exploits involve some sort of intentional, misdirected programming. The malicious programmer has to take what he knows about a particular programming language and imagine the ways it could be used to manipulate objects and browsers. Much like virus writers look for languages that can open, find, and write files, malicious web coders usually look for ways to interact with a browser object and a web language. The following examples will show you their creativity.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net