Earlier this year, French security firm VUPEN netted a whopping $400, 000 in the HP Tipping Point’s Zero Day Initiative as an annual hacking contest hosted by Pwn2Own. As the name would suggest, the aim for participants was to reveal zero-day vulnerabilities to win outrageous cash rewards.
Here is a breakup of how this popular security firm earned money in the contest.
Irrespective of the standard you measure it in; this is huge money, even for a firm of VUPEN’s stature. This contest actually resonates with the security experts’ calls about browser vulnerabilities getting difficult to locate, eating up a large chunk of research resources.
An analogical explanation of browsers would be something like a virtual gateway, which helps users make most out of their internet experience. They help them connect with everything else on the network. Now just like any other chunk of code, browsers are also vulnerable to maliciously written codes that find loopholes in the developer’s architecture.
As a matter of fact, cybercriminals are constantly looking for browser vulnerabilities. In 2014 alone, 653 vulnerabilities were discovered in 5 of the most popular browsers including Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer, while Google Chrome remains the top used browser for 2014.
Although browser developers introduce patches quite frequently, the situation is still troublesome for many organizations around the world.
The sophisticated piece of code makes changes to the homepage, favorite pages, and even search pages. Some of them even change internet settings and block certain features or access privileges. Redirection is also common. Applications are usually at higher exploitation risk.
Now given the nature of these symptoms, most people do not really look into the underlying cause and that’s where they get dangerous. POODLE or the Padding Oracle on Downgraded Legacy Encryption has been the worst of all attacks in the past. This particular bug is also known as CVE-2014-3566 and it compromises protocol security level, which can be further used to penetrate SSL or Secured Socket Layer. It is something that most of us blindly trust as security assurance.
There are a dozen different options freely available to users, but which one of these is absolutely bulletproof against every kind of attack? Well, according to Skybox Security, there is no single answer to that question. Every browser has its own merits and demerits. Picking one is impossible. However, most security experts and users agree that IE has got the most critical security issues and is years behind others.
As for the other browsers, none of them can guarantee the safety and that is where awareness comes into play. Following are a few of the tips that help with browser safety.
For individual users, risks are usually limited to their own data and money, but on the other hand, organizations face huge risks like defacement and data theft through browser vulnerability, which increases the need to countermeasures.
Organizations or website owners should utilize strong security audit programs, both automated and manual for enhanced security. This will ensure their safety even against client browser vulnerability like the JPEG buffer overflow experienced in the past using Internet Explorer. This vulnerability was exploited by crafting a JPEG image with an invalid header to target payload against XSS issues.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Before this, as the CTO @ Indusface, Venky created the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.