Schneier on Security
A blog covering security and security technology.
« Dan Wallach on Electronic Voting Machines |
| Random Stupidity in the Name of Terrorism »
July 3, 2008
This excellent paper measures insecurity in the global population of browsers, using Google's web server logs. Why is this important? Because browsers are an increasingly popular attack vector.
The results aren't good.
...at least 45.2%, or 637 million users, were not using the most secure Web browser version on any working day from January 2007 to June 2008. These browsers are an easy target for drive-by download attacks as they are potentially vulnerable to known exploits.
That number breaks down as 577 million users of Internet Explorer, 38 million of Firefox, 17 million of Safari, and 5 million of Opera. Lots more detail in the paper, including some ideas for technical solutions.
EDITED TO ADD (7/2): More commentary.
Posted on July 3, 2008 at 7:02 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"...including some ideas for technical solutions."
Thats nice. Many papers don't seem to get as far as suggesting solutions.
Helpful site: "This paper will help you configure your web browser for safer internet surfing. It is written for home computer users, students, small business workers, and any other person who works with limited Information Technology (IT) support and broadband (cable modem, DSL) or dial-up connectivity. Although the information in this document may be applicable to users with formal IT support as well, organizational IT policies should supersede these recommendations. If you are responsible for IT policies for your organization, please consider implementing these recommendations as part of your policy."
One of the authors of the paper blogged about some of the excuses people are using for not upgrading to the most recent browser versions and why they didn't class still-supported Internet Explorer 5.x and 6.x as being "secure". The blog is found at http://blogs.iss.net/archive/...
Why not run a new version of FF and NoScript? Has there been some decrease in NoScript's effectiveness under FF3?
Regarding the paper --
I found it amusing that they call their ideas "technical suggestions". I think of them more as usability suggestions, implemented technically. The knowledge areas that are relevant are those that focus on how humans work (cognitive psych, sociology, maybe anthro), not so much those that focus on how things work (engineering, CS).
One complaint on the method used is that they need to play some games because IE7 doesn't put a minor rev in the USER-AGENT. Thus, they have to measure the distribution of IE7 subtypes using a different data source. IMNSHO this doesn't detract from the paper that much, but if you are concerned about IE-specific conclusions, it may matter more to you.
Since I'm lazy I'll probably stick with the FF2 branch until either the auto-update offers it to me or the Mozilla devs stop pushing security fixes back into it, which will be until about December according to this article:
I found the analysis interesting but noticed an assertion that bothered me - "The migration between major versions was found to be generally a slow process, except for Apple’s Safari SF3 which surpassed 60% share within 3 months of its release - likely influenced by Apple’s controversial inclusion of the new Web browser in the auto-updates of other popular Apple software products". The problem with the assertion is that it was "likely influenced by Apple's controversial inclusion..." If the authors had bothered to check with the timeline of Mac OSX updates they would have noticed each of the incremental SF3 gains coincided with updates to Mac OSX 10.4. The first major release of SF3 for 10.4 was with the 10.4.11 update released in November 2007 (http://www.apple.com/support/downloads/index5.html). This appears to explain the sudden increase in SF3 usage the authors present in "Figure 2: Upgrade dynamics...". This explanation, in my opinion, tends to undermine the credibility of the entire report, at least as applied to SF3.
I'd call foul on the implication on which that paper is based - that the most up-to-date version of a browser correlates with increased security.
I consider that while 'more up-to-date' may mean that a set of known old bugs in that browser may have been fixed, more-up-to-date can also mean 'contains new bugs' or 'includes new features [which may contain new bugs]'.
I guess I'm safe then. I used the most recent version of my browser, NCSA Mosaic.
I use FireFox v3 with the "Adblock Plus" and "NoScript" add-ons.
By default, pop-up windows are blocked.
It seems to work for me.
I disagree with this point: "Regarding speed for upgrading to the next major browser version, Firefox, Safari and Opera users clearly outperformed Internet Explorer users . . . . Considering that Microsoft offers Internet Explorer 7 as an auto-upgrade . . . it is rather surprising to see how slow the migration to the most secure version has been."
Leaving aside the fact that Windows Update has a nasty habit of forcing reboots, which means most folks are very careful about when they use it, and any decisions by Microsoft about whether or not to update bootleg copies of Windows, there's a deeper issue here.
In a business context, auto upgrades bring with them the risk of breaking an entire user population all at once if the upgrade goes poorly. Also, there's the cost of retraining users to the latest UI changes: your help desk could be completely and suddenly buried under "where'd my Favorites menu go?' calls, preventing it from handling real, business-risking crises. While they're effective for general users, in a business environment many IT departments disable or discourage auto updates.
There are a lot of other factors involved in software vulnerabilities besides just the techincal ones. And, we techies need a better approach than running around madly patching the bugs after they show up in the wild.
Yes, there's often a considerable overlap during which the second-to-last major release of a software product is still fully supported, and the newest version has been subjected to only limited analysis and attack. Beta releases reduce the latter problem, but during this period it's basically anyone's guess which is better.
Once a version goes out of support I'd be inclined to ditch it: sure it'll be immune to exploits based on new technologies, but any other vulnerabilities discovered in it will *never* be fixed. At least with supported versions, the bad guys are shooting at a moving target.
So while best practice is generally to take minor patches ASAP (since working exploits often follow fast behind them), major version upgrades are a bit less clear-cut. Usually there's no compelling need to upgrade immediately, but also no strong grounds not to.
Of course, if you're going to stick strictly to the view in the report, then consider that IE is to some degree an integral part of Windows. They could have ruled that IE7/XP is no longer "the latest version", and only counted IE/Vista is "the most recent release". That would reduce IE's proportion still further, and you can have the argument all day as to whether Vista is a security upgrade from XP...
I thought you were stating a reason to stay with FF2. Now I realize you were just saying that FF2+NoScript is better than FF3 by itself. I completely agree.
Given the negligible effort required to add NoScript to FF3, which to me seems quite an improvement over FF2, I prefer to run FF3+NoScript. De gustibus non disputandum, as they say.
I use a really old Firefox (version 1.something) with a few script-and-adblockish plugins of that era. I've never had any problems, and I suspect its because my browser version is not used by many other people and so its not worth the effort to find binary exploits in it. The malware guys are all focused on the popular versions of the browsers.
I also don't patch my OS (except when a service pack comes out), and again, I disabled all the useless and dangerous stuff the day I installed it and have auto-updates turned off, so the attackable surface of this box is pretty small and automated vulnerability scanners can't seem to find anything in it. I've been running this box for about 4 years now with absolutely no problems. Whenever I scan it for viruses or spyware or whatever, nothing comes up. It's been rock-solid stable too--since there's no crapware installed, performance is very predictable (on boot there are about 10 processes running using only 56 MB of RAM, which I guess is pretty small for Windows XP).
Lynx, has a few problems, seen em here and there, not all reported on secunia or mitre. Grr, wish it was easy to fix these little things. $ spent on ~perfecting lynx seems worth it to me. Firefox, not spend a penny.
Firefox is always vulnerable ~24x7x365.25. X windows is also p r o b l e m a t i c. Lots of other stuff around.
Funny, the Gov will spend infinite money chasing bits, but will not fix the problem. Grr.
Do you run a proprietary video driver? Uh oh!
Do you run a proprietary multimedia plugin ? Uh oh!
Do you run a proprietary web browser? Uh oh!
Do you run a proprietary operating system? Uh oh!
Stupid people perpetuate stupid mistakes
Thoughts no one in particular needs to hear:
- All browsers should be able to run with limited privileges, as IE/Vista can.
- Browsers seem to be hiding a fair amount of cruft that's rarely used but could hide holes. We shouldn't be afraid to mildly inconvenience the few folks who actually use these features if it makes security substantially better for the rest of us (think XUL in webpages in FF, or any of the ActiveX controls still marked "Safe for Scripting" in IE).
- Cross-domain access seems to be a theme of attacks (e.g., iframe attacks) -- although if we locked down the cross-site security model, it might be that attackers would start serving their exploits right from the domain where they now insert an iframe.
- Part of the solution, although distatesful, may be whitelists: some trusted domains get to be targets of crossdomain links, others don't.
- A big part of the solution may be protecting the servers.
- Figure 6 in the paper seems to suggest that *sites* tell users when their browsers are out of date even if the browser maker won't. 'Sbrilliant!
Browsers should have the option of auto-downloading updates and patches for end-users. That would go a long way to helping people stay up-to-date. Presumably most people have no idea how to update their browsers.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.