Monday, July 26, 2010

Google on browser and plugin attacks and defenses

Chris Evans of Google presented a talk on browser and plugin attacks. Ian Fette (also of Google) talked about the blacklisting approach and its value in browser security in the same talk (at 30:00).

Some interesting highlights:
  • The plugin distribution for users of Chrome v4.1 is shared:
    • 97%: Flash
    • 86%: Adobe Reader
    • 66%: Java (only 14% were fully uptodate)
    • 53%: Windows Media Player
    • 49%: Silverlight Plug-in
    • 39%: Quicktime Plug-in
  • The speaker has most of his plugins disabled, to reduce the vulnerability surface in his browser -- he recommends the same for users.
  • Websites can request an old version of Java to be installed on the fly, basically allowing websites to put security holes in your system that you did not have. Java is so powerful that it's essentially impossible to sandbox, and its cross-platform capabilities means you can write an exploit once, and it will work on every OS. Only 14% of users were fully up-to-date with Java.
  • All browsers are working on various defenses against these attacks, including sandboxing, warning about out-of-date plugins, or bundling some plugins so they can auto-update them. Ian talks extensively about the blacklist approaches (such as Google Safe Browsing on Firefox, Safari and Chrome, and SmartScreen Filter for IE8) to mitigate against zero-days, and social engineering malware.
  • There's approximately 500,000 URLs in the Google Safe Browsing lists at any time, and the lists are delivered to hundreds of millions of users.
  • About 50% of users ignore the phishing or malware warnings on Chrome, even though Google has very high confidence when it adds something on the lists, since it uses virtual machines to verify eg malicious websites.

Full video here