Vulnerabilities in Web Browsers

Dhruwajita Devi, Dhrubajyoti Pathak, and Sukumar Nandi

Department of Computer Science and Engg. Indian Institute of Technology, Guwahati, India {dhruwajita.devi,drbj153,sukumar}@iitg.ernet.in

Abstract. Web browsers are software applications that are used to access information from the World Wide Web. With their wide usage and increasing popularily, it has become one of the major targets for exploitation for the hackers. A small mistake during design, implementation and conguration of a software code will leave it vulnerable to intrusions. In this paper we give a taxonomy of vulnerabilities of windows Internet explorer and Mozilla Firefox browsers based on methods employed for attack generation and consequences of such exploits. We survey the latest vulnerabilities in the Internet Explorer and Mozilla Firefox browsers and version of browsers they aect. An analysis of each group is also given and remedial measures to be taken is also discussed.

Introduction

Web browsers are the intermediary applications between a user and the world wide web. Understanding of browser vulnerability requires the knowledge of architectural design of browsers. Basically a browser is a software or software application program which is used for retrieving information resources on world wide web. It consists of three main parts : i) controller ii) client program and iii) interpreter.[7] The controller handles the other two parts i.e client program and interpreter. A controller takes inputs from the standard input devices and uses a client program (http. ftp, telnet etc.) to access a document. As soon as the document is accessed, controller uses an interpreter (html, cgi or java etc.) to display it on the screen . Hence, it acts as an interface between a user and the world wide web. Vulnerability is the weakness or design aw of a software program which can be used by an attacker to degrade system performance or to get unauthorized access by exploiting (exploit is a piece of computer program or chunk of data etc.) it. Likewise, a web browser vulnerability is a aw in the browser software which can be used by an intruder to exploit the respective browser. In this paper, we have done a thorough survey on the existing vulnerabilities in windows Internet Explorer and Mozilla Firefox browsers and have classied the same. Section 2 describes the architecture of the popular web browsers. Section 3 describes their vulnerabilities in detail and nally we conclude with our recommendations in the last section.

Vulnerabilities in Web Browsers

Architecture of Web Browsers

Before going to the details of vulnerability we are giving an overview of architectural foundation of Internet Explorer and Firefox. 2.1 Internet Explorer

Internet Explorer has a modular architecture[1] which enables the reuse of its components and developers to enhance and extend the browsers performance. The main components of IEs architecture are shown in the Figure. 1. IExplore.exe : It is a small component that is dependent on the other main components of IE . The main job of this component is rendering, navigation, protocol implementation,and so on. BrowseUI.dll : This dll is referred to as the chrome and provides the user interface to IE. It includes the IE address bar, status bar, menus, and so on. ShDocVW.dll : It is a core component of IE and is a 32bit dll, protected by the OS. Since IE is integrated with Windows OS, ActiveX Control interfaces are hosted by this dll. It provides navigation and history. Microsoft Word, Microsoft Excel, Microsoft Visio, and many non Microsoft applications also expose active document interfaces so they can be hosted by it. MSHTML.dll : It takes care of HTML and Cascading Style Sheets (CSS) parsing i.e., it is responsible for rendering web pages. It is also a 32bit dll. MSHTML.dll exposes interfaces to host, as an active document. MSHTML.dll may be called upon to host other components depending on the HTML documents content.

Figure 1. Architecture of Internet Explorer

Figure 2. Architecture of Mozilla Firefox

Vulnerabilities in Web Browsers

UrlMon.dll : It provides functionality for MIME handling and code download. WinInet.dll : Windows Internet Protocol handler. It implements the HTTP and FTP protocols along with cache management. 2.2 Mozilla Architecture

User Interface : The User Interface layer is the upper layer of the browser which provides setting up conguration of the browser, handling the visualization of the web pages, web page bookmark and saving options. The User Interface consists of two sub layers User Interface and Cross Platform Front End(XPFE). XPFE is a development tool based upon XML and allows to develop dierent Mozilla application such as Firefox, Thunderbird. Most part of Mozilla Firefox are written in XUL(XML User interface Language), HTML and CSS.[2][3] Gecko : Gecko consists of a browser engine and rendering engine. The browser engine acts as a high level interface to the rendering engine, provides dierent browser action like Back, Forward, Reload and Stop along with dierent error message. The rendering engine comprises of various components : HTML Parser : It parses the HTML document and generates the layout for web pages. XML Parser : It parses the XML document which is responsible to display in the user interface. JavaScript Interpreter : It interprets JavaScript. Content Model : It arranges parsed web page data based on Document Object Model. Image Loader : It is responsible for loading images in the web page. Style System : It parses the CSS data in the document retrieved. Frame System : It designs the frames from the data of Content Models DOM elements and create the visual layout of the web page. Graphic Model : The graphical interface provides primitive drawing and native window method of the host operating system. Necko : Necko in Mozilla is a network component consisting of networking libraries. Necko is responsible for all network communication, security and the representation of dierent format of data. It comprises of the following parts: Application, URI Object, Network Service, Protocol handler, Protocol connection, File/Socket Transport, NSS. NSS library provide communication support of dierent application in cross platform. It also provides implementation of Secure Network communication such as SSL, S/MIME and other Internet Security Standards. XML parser : It is used to parse XML documents like HTML, MathHTML, SVG, RDF and XUL. In Mozilla Firefox XML parser is based on Mozilla Expat parser which is included in Gecko. JavaScript Interpreter : This component executes the JavaScript code embedded in a webpage. It includes SpiderMonkey which is a C implementation of JavaScript. In Mozilla Firefox JavaScript interpreter is strongly included in Gecko.

Vulnerabilities in Web Browsers

Data persistence :The Data Persistence component manages user data in a persistent and secure manner.

Vulnerabilities in Web Browsers

In this section, we classify the vulnerabilities that exist in Internet Explorer and Mozilla Firefox based on the impact of the exploit and its symptoms. We group the vulnerabilities into 4 categories as CrosssiteScripting, Denial of Service, Buer Overow and Remote Exploitation attacks. Each of these classes have been discussed in detail in the next 4 subsections. 3.1 Cross-site Scripting (XSS) Vulnerability

The main cause of cross site scripting vulnerability is dynamic web pages. Whatever web pages are generated by the web server, it is up to the client browser to interpret the page. If it is a static web page it will not be a easy job for the attacker to inject something malicious in the page because the server will have the full control over how the client browser will interpret it. But in case of dynamic pages server does not have full control over it. So, it leaves behind an opportunity for the attacker to inject some malicious code which can be detected neither by the server nor by the client browser interpreter[10]. Therefore, client browser will interpret it as a legitimate page and will access the link of that page though it is infected[11]. This is how cross-site scripting takes place. It is also known as XSS. Stealing information through Browser Vulnerability will also belong to this category. It involves Internet Explorer 7 on all versions of Windows XP; It does not aect IE 8. However, IE8 running in Windows Vista (not SP1) is vulnerable to this attack, if its Protected Mode is turned o.[6] XSS scripting attack via an embedded SVG document is one of these vulnerabilities exist in Mozilla Firefox.Mozilla refox 3.0.x[15] before 3.0.18 and 3.5.x before 3.5.8 are aected with this vulnerability but it is xed in Firefox 3.6, Firefox 3.5.8, Firefox 3.0.18.[20] 3.2 Denial-of-Service (DoS) Vulnerability

The main cause of DoS vulnerability in web browsers is innite looping in JavaScript[8]. And as there is no limitation on windows a JavaScript can open on the monitor. Taking advantage of this feature, a hacker can inject malicious code to open the window repeatedly. It creates a DOS attack on the victim machine. This attack prevents legitimate users from accessing information from a server or from some other machine. When a user clicks a malicious link using a browser the attacker ood it with responded web pages, as a result the browser halts[11]. This attack is possible in IE 6/7/8 according to a recent experiment on 2010/01/18 having platform Windows XP SP3 English and Windows 7. Firefox version 3.5.x before 3.5.8 are aected but xed in Firefox 3.6, [19] Firefox 3.5.8.

Vulnerabilities in Web Browsers

Mozilla Firefox Document.Cookie Path Argument Denial of Service Vulnerability is prone to this kind of vulnerability having version 2.0.0.2. Web Worker Array Handling Heap Corruption Vulnerability with verson 3.5.x. 3.3 Buer Overow Vulnerability

Buer overow vulnerability occurs due to boundary checking error. If the buer takes the user supplied input which is greater than the buer size, there will be a buer overow vulnerability. In IE this bug takes advantage of the way it handles long string written in JavaScript code[9]. As a result the browser crashes, potentially compromising malicious code. Heap based vulnerability say for e.g. the IFRAME vulnerability or the HTML Elements Vulnerability belong to this category.[14] Internet Explorer 6.0 on Windows XP SP1 (fully patched) and Windows 2000 (fully patched) is vulnerable. Firefox version 3.0.x before 3.0.15 and 3.5.x before 3.5.4 are aected. Fixed in Firefox 3.5.4, Firefox 3.5.4.[19] 3.4 Remote Code Execution or Memory Corruption Vulnerability

Most of the browsers are vulnerable to remote code execution and memory corruption. Some of the recent vulnerabilities of this type that are exist in these browsers are listed below: HTML Object Memory Corruption Vulnerabilities This vulnerability is associated with a pointer of a deleted HTML object. Intruder can use the pointers of deleted objects to run arbitrary code[12]. It is due to incorrectly initialized memory and improper handling of objects in memory. This remote exploit took place in December 2009 and January 2010 during Operation Aurora[5]. It is also called Useafterfree vulnerability .The famous Aurora attack belongs to this category. Uninitialized Memory Corruption Vulnerability and HTML Rendering Memory Corruption Vulnerability are also same as Object Memory Corruption Vulnerability. These vulnerabilities exist when IE accesses an object which is not initialized correctly or has been deleted[16]. Intruder may take advantage of this vulnerability to exploit the browser if a user visits a web page which is specifically crafted. Successful exploitation may result in gaining the same privileges as the current logged on user. Based on the user privileges, an intruder could install programs. She can view or change or delete data; or can create her own accounts with full rights. Race Condition Memory Corruption Vulnerability The cause of this vulnerability is a bit dierent. The way IE accesses an object that may have been corrupted due to a race condition may invoke its existence[16]. Its Exploitation and the consequences are similar to the HTML Object or Uninitialized memory corruption vulnerability.

Vulnerabilities in Web Browsers

Memory Corruption Vulnerability When IE manages a long URL in certain situations, this type of vulnerability exist[13]. Whatever vulnerabilities are mentioned upto now in this category, exists in windows versions i.e. IE5/6/7/8 of windows 2000,2003,XP, Vista,7 respectively are aected with this vulnerability[16].

Post Encoding Information Disclosure Vulnerability An information disclosure vulnerability leaks sensitive information. It occurs while submitting data to the server. Exploitation may occur if a user visits a web page which is specifically crafted to take advantage of these vulnerabilities[16]. Successful exploitation of this vulnerability could result in an attacker viewing content from the local computer or another browser window in another domain or Internet Explorer zone. This is also called HTML Element Cross-Domain Vulnerability. IE 5/6/7 are aected by this vulnerability[18].

Microsoft Internet Explorer iepeers.dll Remote Code Execution Vulnerability This vulnerability is related to iepeers.dll which is Microsoft Internet Explorer library. Internet Explorer 6 and 7 are aected by this vulnerability,[17] while IE 5 and 8 are not aected. The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. In certain conditions when an invalid pointer tries to access an object which is already deleted, it leads to this vunerability. This may result in remote code execution. As of now a patch is not currently available.

Mozilla Firefox WOFF-Based Font Decoder Integer Overow Remote Code Execution Vulnerability This vulnerability is due to an integer-overow error in WOFF decoder which is the abbreviation for Mozilla Web Open Fonts Format.[19] WOFF is a simple compressed le format for fonts. This decoder is included in Firefox 3.6[20] or later. The way the WOFF decoder handles the size of tables which are specied in the font le an integer overow vulnerability may exist. This error could result in a buer overow vulnerability on a subsequent memory allocation. A remote attacker who is able to supply a malicious WOFF le could exploit this vulnerability (buer overow). Failed exploit attempts will result in denial-of-service conditions. Mozilla Firefox Cross Document DOM Node Movement Remote Code Execution Vulnerability is also same as this vulnerability. Mozilla Firefox OnUnload Memory Corruption Vulnerability v2.0 and Mozilla Firefox TraceRecorder::traverseScopeChain() Remote Memory Corruption Vulnerability with v3.6.2 belong to this category. Both allow an attacker to execute arbitrary code in the context of the user running the aected application. Mouse Click Event Hijacking Vulnerability in IE and Mozilla also belong to this category which could allow a remote attacker to write arbitrary les to the local le system.

Vulnerabilities in Web Browsers

Conclusion

In this paper, we have proposed a taxonomy for the Web browser exploits and have discussed some of the vulnerabilities existing in Microsofts Internet Explorer and Mozilla Firefox browsers. It is evident that every loophole in the design and implementation of the software system leads to various security threats. Hence it is recommended to have safe progrmming practices and keep the system upto date with the latest patches. Also, the end users should be aware of the security issues while using the web browsers and they should make it a practice not to click on suspicious links and avoid using untrusted download sources.

References
1. Internet Explorer Arcitecture: http://msdn.microsoft.com/enus/ library/aa741312%28VS.85%29.aspx 2. Mozilla Architecture http://plg.uwaterloo.ca/ migod/papers/2005/ icsm05webBrowserRefArch.pdf 3. http://www.mozilla.org/docs 4. http://blogs.technet.com/security November 27, 2007 5. NHS Information Governance: Technical Security Technology Bulletin: Microsoft Internet Explorer Security Vulnerability 979352 Aurora Department of Health Informatics Directorate January, 2010 6. http://www.betanews.com/article/Yet-another-crosssite-scripting-vulnerabilityaects-IE7-on-XP/1210961484 7. http://www.articlesbase.com/software-articles/browser-architecture-290712.html 8. http://everything2.com/title/Web+browser+denial-of-service+attacks 9. Sung-Whan Woo, Omar H. Alhazmi and Yashwant K. Malaiya, An Analysis of the Vulnerability Discovery Process in Web Browser,Proceedings of the 10th IASTED International Conference, November 2006 10. Vinod, Anupam and Alain Mayer, Security of Web Browser Scripting Languages:Vunerability,Attacks and Remedies,January 1998 11. Mike Ter Louw, Jin Soon Lim, V. N. Venkatakrishnan, Enhanching Web Browser Security Against Malware Extensions,2008 12. Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov, javaScript Instrumentation for Browser Security,January 2007 13. Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu, The Ghost In The Browser Analysis of Web-based Malware, 2007 14. http://www.kb.cert.org/vuls/842160 15. http://xforce.iss.net/xforce/xfdb/56363 16. http://www.msisac.org/advisories/2010/2010-023.cfm 17. http://www.securityfocus.com/bid/38615/info 18. http://vil.nai.com/vil/content/vul50943.htm 19. http://www.mozilla.org/security/announce/ 20. http://www.securityfocus.com/bid/38298