DUE DATE EXTENDED TO MONDAY AT 11 PM.
Most users access the Internet through a web browser. But we have learned that even if we are using the HTTPS protocol it cannot protect us from lots of bad, bad browser based stuff.For this week's blog we will wrap up our unit on web application security by looking at browser based vulnerabilities.
My article is about the BEAST (Browser Exploit Against SSL/TLS) and how it exploits a weakness in the SSL 3.0/TLS 1.0 protocols to break the encryption on your session. The scientists who proved the vulnerability have published the info AND they have shown that TLS 1.1 or 1.2 would be effective encryption. However, most web browsers and web servers have not shifted to the safer protocols because the expense and trouble are significant. There is a graph in the article that shows exactly how little TLS 1.1 / 1.2 are being used. I tried implementing TLS1.1 on my computer for IE9, Chrome and Firefox - only IE9 even lets you make that change, but when I tried to access https sites with TLS1.1 set, the sites gave me an error message. The article advises to practice safe surfing, but I'm not sure that helps when you are talking about ecommerce.
http://www.pcworld.com/businesscenter/article/240933/hackers_crack_internet_encryption_should_you_be_worried.html
You need to find a news article about a web browser vulnerability. Write several sentences to explain the vulnerability, how it was used or can be used to attack and if there is any solution. Make sure you understand the article and summarize it in simple terms.
7 comments:
http://www.pcmag.com/article2/0,2817,2401392,00.asp
Recently, at a hacking competition CanSecWest Pwn2Own, a hacking team exploited two zero day attacks on Internet Explorer 9: a heap overflow bug and a memory corruption flaw. They were able to take full control of a Windows 7 machine by successfully getting their own code to run outside of the sandbox environment IE9 intends to create. A user can become victim to this attack just from viewing a site infected with code to exploit these vulnerabilities. So the only prevention against this is to be careful when choosing sites to visit. Microsoft plans to release a patch as soon as they can which should render this attack useless.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0079
The article that I picked explains how Firefox is one of the most vulnerable web browsers out. Vulnerabilities in the browser allows many remote attackers to create a denial of service attack. The only fix to this problem that Mozilla has released are patches. Many of the plugins that Firefox uses are vulnerable. This just proves to show that when you think you are safe, you most likely are not. You just have to be careful of what sites you connect to and what browser you use.
http://www.hyphenet.com/blog/2012/03/09/secunia-issues-advisories-for-2-unpatched-safari-web-browser-vulnerabilities/
My article happens to be very recent, from March 9th 2012, and is about Apple's Safari browser. Secunia is a Danish vulnerability tracking firm that has been notifying Apple about Safari's address bar spoofing vulnerability. Basically, when an error occurs in processing, the "setInterval()" function can be exploited. When used effectively, the hacker/spoofer can show any content he wants to the user/spoofee, while still under a trusted URL. Secunia writes that Apple has stated that they would look into it, but have made no move to patch this vulnerability since it was reported to Apple over 8 months ago.
http://www.zdnet.com/blog/security/internet-explorer-9-haunted-by-critical-security-vulnerabilities/9590
This article explains a few critical IE9 vulnerabilities. One of the vulnerabilities is that it could allow remote code execution. This could happen if someone opens a crafted font file (.fon) or an email attachment. Also another vulnerability could be exploited if you go to a specially crafted web page. The attacker could be given the same user rights as the local user. The best solution to these vulnerabilities is to keep your browser updated and to be careful with the websites you visit.
http://news.cnet.com/Browser-bugs-hit-IE/2100-1002_3-6089817.html?tag=lia;rcol
In 2006 Internet Explorer (IE) was found to have another security flaw. This flaw could be exploited by using cross-site scripting. This form of scripting can allow an attacker to swipe valuable information over IE. No know serious attacks have been know to have happen. And IE already installed the latest patches to fix this vulnerability.
http://www.zdnet.com/blog/security/pwn2own-2012-ie-9-hacked-with-two-0day-vulnerabilities/10621
My article describes how a French security research team was able to use two zero-day vulnerabilities to exploit a completely patched Windows 7 SP1 machine. The attack had two stages to it. First, it uses one vulnerability to execute some code which loads a second piece of shellcode, bypassing IE9's sandboxed Protected Mode. The researchers claim that their vulnerability will work with all versions of IE, from IE6 all the way to the consumer preview for IE10.
Post a Comment