5.7.2 Browser Plug-in Vulnerabilities

Web browsers have frequently been forced to withstand the brunt of web-related attacks; typically, attackers try to exploit one or more vulnerabilities on a web browser so that they can use it as a conduit to get malicious software onto the victim’s machine in the form of a drive-by download. However, attacks on web browsers now seem to be going out of favour and are being supplanted by attacks on browser plug-ins. With users constantly looking for a richer browsing experience, more and more are augmenting their browsers with popular plug-ins. To provide some perspective, according to volume XIII of the Symantec Internet Security Threat Report 63, during the second half of 2007, there were 88 vulnerabilities reported in Mozilla browsers, 22 in Safari, 18 in Internet Explorer, and 12 in Opera. In the previous six month period, Internet Explorer was subject to 39 vulnerabilities, Mozilla to 34, Safari to 25, and Opera to 7. However, Symantec documented 239 browser plug-in vulnerabilities in the last six months of 2007, compared to 237 during the first six months. During the second half of 2007, 79 of these vulnerabilities affected ActiveX components, compared to 89 in the first half. These numbers clearly show that browser plug-in vulnerabilities far outnumber traditional browser vulnerabilities. Just one example of a plug-in based vulnerability is described in [5.7.2].

5.7.3 JSON Vulnerabilities

JSON – JavaScript Object Notation is a lightweight format for exchanging Javascript objects data between client and server. There are several important vulnerabilities using JSON. They fall into two classes: 1. Attacks exploiting the fact that JSON requests can be included in SCRIPT tags which evade the same-origin policy and allow data to be extracted from objects. This allows Javascript to be requested from an arbitrary domain and the results of inspecting objects returned can then be sent to an arbitrary domain. This allows an attacker to request personal data about an arbitrary client requested by that client from a malicious web page and then send it to an attacker’s web server using, for example, an XMLHttpRequest. This vulnerability was used in 2006 when an attack allowing the theft of Gmail contacts was discovered 64. Another example is CVE-2008-1318, an attack on Mediawiki 65. This is a particularly important vulnerability for applications installed on a corporate intranet which can leak data should a user visit a rogue site. 2. Attacks exploiting the fact that JSON objects are sometimes executed directly on the client without validation using the eval function. This is done for legitimate purposes to load an array into memory, but an attacker can include malicious code in the JSON requestresponse instead of just an array constructor. Web 2.0 Security and Privacy 32