[Cialug] Security and the browser

David Champion dchampion at visionary.com
Tue Oct 21 09:46:02 CDT 2008


... and the wonderful side-effect of the tight integration of IE with 
the OS - if something causes your instance of IE to crash, it can cause 
any instances of Windows Explorer, your desktop, the taskbar, programs 
that use the standard file browser dialog etc. to lock up. They may or 
may not come back, and you may have to do a cold reboot.

I've seen articles describing how a malicious web site can cause IE to 
crash, creating a local DoS attack of sorts, even if they aren't using 
IE as an attack vector. For instance if you were able to infect a 
company's intranet site with code that cause everyone's PC to be 
unusable for a time, or to be rebooted every time they hit the site... 
that could cripple a company for a time.

When IE does lock up, I have been able to alt-tab to firefox or t-bird, 
and they work just fine while Windows is doing whatever it does behind 
the scenes to (attempt to) recover.

-dc

Josh More wrote:
>  The biggest risk with IE is it's tight integration with the OS.  Most
> of the vulnerabilities involve Active X and system libraries (mostly
> graphics).  Firefox is proof against these simply because it doesn't
> integrate with the OS at the OS level, so there is an abstraction layer
> that attacks have to get through.  That makes it harder both to attack
> and to do integrative tasks... one of the reasons that Windows Update
> only works with IE.
>
> The plugin architecture to both the new IE and Firefox does present a
> security concern, but most plugins should run sandboxed, so as long as
> you review them before installation, you should be fine.  A bigger
> concern with plugin proliferation is the consumption of system
> resources.
>
> My recommendation would be to disable IE as much as possible and
> replace it with Firefox.  In other words, keep IE around only for tasks
> that need the OS integration (Windows Update, custom apps) and use
> Firefox only for web browsing.  Use either system imaging or a PUA
> filter (Sophos provides this, but there others too) to lock the Firefox
> configuration (plugins, themes, etc) to something reviewed and
> acceptable.
>
> The big advantage you get this way is somewhat improved security at the
> architecture level (abstraction layer) and significantly improved
> security at the application layer (if you pick the right plugins (like
> adblock)).  The big drawback is that you have to maintain patches for an
> additional system and it's associated plugins.  There are likely third
> party tools to help manage this (PatchLink maybe?), but I can't
> recommend any from first hand experience.
>
> Whatever browser you use should be the latest generation to protect
> against phishing and known malware sites.  These technologies aren't
> perfect, but they're a lot better than having nothing... so at a
> minimum, you should ditch IE 6.
>
>
>  
>
> -Josh More, RHCE, CISSP, NCLP, GIAC 
>  morej at alliancetechnologies.net 
>  515-245-7701
>
>
>
>   
>>>> "Nathan C. Smith" <nathan.smith at ipmvs.com> 10/20/08 10:53 AM >>> 
>>>>         
>
> I've heard people say Firefox is "More Secure" than Internet Explorer,
> and while it seems to make sense at first, I do not believe that claim
> can be substantiated.  Firefox may have "less inherent risk" than I.E.,
> and that is where my question comes in.
>
> At work we use I.E. but we are looking at Firefox.  I have some
> reservations about manageability.  Our philosophy right now is that the
> single browser, I.E., is probably heavily targeted and has lots of
> problems but it easily updated and attacks will become quickly known via
> different communities.  It is also "protected" through antivirus and
> anti-malware software.  If we were to allow Firefox and perhaps  Chrome,
> there would be three very different vectors of risk all with different
> types of potential security holes/weaknesses.  We would in fact be
> "casting a wider risk net" by using all three or two broswers.
>
> I'm not looking to start a flame war, but rather an intelligent (and
> perhaps spirited) discussion of the weaknesses of different browsers and
> ways we can look at the risks involved to somehow compare the elements
> of risk between browsers.
>
> Some of the risk elements might include plug-ins, types of plug-ins,
> rendering engines, open-source v. closed source and whether a code
> review is possible, and the track record of the company supplying the
> product.  One unfortunate truth is that other products that contain the
> Internet Explorer engine are probably going to be subject to the same
> risks I.E. is when that product is running.
>
>
> -Nate
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20081021/20d849d3/attachment-0001.html


More information about the Cialug mailing list