5.7.2 Browser Plug-in Vulnerabilities
Web browsers have frequently been forced to withstand the brunt of web-related
attacks; typically, attackers try to exploit one or more vulnerabilities on a web
browser so that they can use it as a conduit to get malicious software onto the victim’s
machine in the form of a drive-by download. However, attacks on web
browsers now seem to be going out of favour and are being supplanted by attacks
on browser plug-ins. With users constantly looking for a richer browsing experience,
more and more are augmenting their browsers with popular plug-ins.
To provide some perspective, according to volume XIII of the Symantec Internet
Security Threat Report 63, during the second half of 2007, there were 88
vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in Internet Explorer, and 12 in Opera. In the previous six month period, Internet
Explorer was subject to 39 vulnerabilities, Mozilla to 34, Safari to 25, and Opera to 7. However, Symantec documented 239 browser plug-in vulnerabilities in the last six months of 2007, compared
to 237 during the first six months. During the second half of 2007, 79 of these vulnerabilities affected ActiveX components, compared to 89 in the first half. These numbers clearly show that
browser plug-in vulnerabilities far outnumber traditional browser vulnerabilities. Just one example of a plug-in based vulnerability is described in [5.7.2].
5.7.3 JSON Vulnerabilities
JSON – JavaScript Object Notation is a lightweight format for exchanging Javascript objects data between client and server. There are several important vulnerabilities using JSON. They fall into two
classes:
1. Attacks exploiting the fact that JSON requests can be included in SCRIPT tags which evade
the same-origin policy and allow data to be extracted from objects. This allows Javascript to be requested from an arbitrary domain and the results of inspecting objects returned can
then be sent to an arbitrary domain. This allows an attacker to request personal data about an arbitrary client requested by that client from a malicious web page and then send it to
an attacker’s web server using, for example, an XMLHttpRequest. This vulnerability was used in 2006 when an attack allowing the theft of Gmail contacts was discovered 64. Another
example is CVE-2008-1318, an attack on Mediawiki 65. This is a particularly important vulnerability for applications installed on a corporate intranet which can leak data should a
user visit a rogue site.
2. Attacks exploiting the fact that JSON objects are sometimes executed directly on the client
without validation using the eval function. This is done for legitimate purposes to load an array into memory, but an attacker can include malicious code in the JSON requestresponse
instead of just an array constructor.
Web 2.0 Security and Privacy
32