Monday, July 26, 2010

Google on browser and plugin attacks and defenses

Chris Evans of Google presented a talk on browser and plugin attacks. Ian Fette (also of Google) talked about the blacklisting approach and its value in browser security in the same talk (at 30:00).

Some interesting highlights:
  • The plugin distribution for users of Chrome v4.1 is shared:
    • 97%: Flash
    • 86%: Adobe Reader
    • 66%: Java (only 14% were fully uptodate)
    • 53%: Windows Media Player
    • 49%: Silverlight Plug-in
    • 39%: Quicktime Plug-in
  • The speaker has most of his plugins disabled, to reduce the vulnerability surface in his browser -- he recommends the same for users.
  • Websites can request an old version of Java to be installed on the fly, basically allowing websites to put security holes in your system that you did not have. Java is so powerful that it's essentially impossible to sandbox, and its cross-platform capabilities means you can write an exploit once, and it will work on every OS. Only 14% of users were fully up-to-date with Java.
  • All browsers are working on various defenses against these attacks, including sandboxing, warning about out-of-date plugins, or bundling some plugins so they can auto-update them. Ian talks extensively about the blacklist approaches (such as Google Safe Browsing on Firefox, Safari and Chrome, and SmartScreen Filter for IE8) to mitigate against zero-days, and social engineering malware.
  • There's approximately 500,000 URLs in the Google Safe Browsing lists at any time, and the lists are delivered to hundreds of millions of users.
  • About 50% of users ignore the phishing or malware warnings on Chrome, even though Google has very high confidence when it adds something on the lists, since it uses virtual machines to verify eg malicious websites.

Full video here

Friday, July 16, 2010

SecBrowsing becoming an official part of Chrome

Last month the Chrome team announced a number of security features regarding plug-ins, including the integration of the SecBrowsing features in the browser.  Here's the relevant snippet from the blog post (http://blog.chromium.org/2010/06/improving-plug-in-security.html): 
Protection from out-of-date plug-ins: Medium-term, Google Chrome will start refusing to run certain out-of-date plug-ins (and help the user update).
The blog post enumerates all the current and upcoming security features in Chrome regarding plugins: 
  • More powerful plug-in controls
  • Autoupdate for Adobe Flash Player
  • Integrated, sandboxed PDF viewing
  • Protection from out-of-date plug-ins
  • Warning before running infrequently used plug-ins
  • A next generation plug-in API
As of Chrome v6.0.466.0 (developer channel as of July 15, 2010), SecBrowsing is partly integrated in Chrome. In "about:plugins", any plugins missing security updates are shown with a warning and a link to get the latest version. There is no active warning anywhere yet, but that's definitely coming up soon.