Web browsers can be breached in one or more of the following ways:
- Operating system is breached and malware is reading/modifying the browser memory space in privilege mode
- Operating system has a malware running as a background process, which is reading/modifying the browser memory space in privileged mode
- Main browser executable can be hacked
- Browser components may be hacked
- Browser plugins can be hacked
- Browser network communications could be intercepted outside the machine
The browser may not be aware of any of the breaches above and may show user a safe connection is made.
Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else). If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited). Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network.
Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted), HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs); installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks.
Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated, but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit. Some subcomponents of browsers such as scripting, add-ons, and cookies are particularly vulnerable ("the confused deputy problem") and also need to be addressed.
Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers.
Browsers can use more secure methods of network communication to help prevent some of these attacks:
- DNS: DNSSec and DNSCrypt, for example with non-default DNS servers such as Google Public DNS or OpenDNS.
- HTTP: HTTP Secure and SPDY with digitally signed public key certificates or Extended Validation Certificates.
Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.
The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project, creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities.
Plugins and extensions
Although not part of the browser per se, browser plugins and extensions extend the attack surface, exposing vulnerabilities in Adobe Flash Player, Adobe (Acrobat) Reader, Java plugin, and ActiveX that are commonly exploited. Malware may also be implemented as a browser extension, such as a browser helper object in the case of Internet Explorer. Browsers like Google Chrome and Mozilla Firefox can block—or warn users of—insecure plugins.
An August 2009 study by the Social Science Research Network found that 50% of websites using Flash were also employing flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were lacking. Most browsers' cache and history delete functions do not affect Flash Player's writing Local Shared Objects to its own cache, and the user community is much less aware of the existence and function of Flash cookies than HTTP cookies. Thus, users having deleted HTTP cookies and purged browser history files and caches may believe that they have purged all tracking data from their computers when in fact Flash browsing history remains. As well as manual removal, the BetterPrivacy addon for Firefox can remove Flash cookies. Adblock Plus can be used to filter out specific threats and Flashblock can be used to give an option before allowing content on otherwise trusted sites.
Charlie Miller recommended "not to install Flash" at the computer security conference CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it.
Password security model
The contents of a web page are arbitrary and controlled by the entity owning the domain named displayed in the address bar. If HTTPS is used, then encryption is used to secure against attackers with access to the network from changing the page contents en route. When presented with a password field on a web page, a user is supposed to look at the address bar to determine whether the domain name in the address bar is the correct place to send the password. For example, for Google's single sign-on system (used on e.g. youtube.com), the user should always check that the address bar says "https://accounts.google.com" before inputting their password.
An un-compromised browser guarantees that the address bar is correct. This guarantee is one reason why browsers will generally display a warning when entering fullscreen mode, on top of where the address bar would normally be, so that a fullscreen website cannot make a fake browser user interface with a fake address bar.
There have been attempts to market hardware-based browsers running from non-writable, read-only file systems. Data cannot be stored on the device and the media cannot be overwritten, presenting a clean executable each time it loads. The first such device was the ZeusGard Secure Hardware Browser, released in late 2013. The ZeusGard website has not been functional since mid-2016. Another device, the iCloak® Stik from the iCloak website provides a complete Live OS which completely replaces the computer's entire operating system and offers two web browsers from the read-only system. With iCloak they provide the Tor browser for Anonymous browsing as well as a regular Firefox browser for non-anonymous browsing. Any non-secured web traffic (not using https, for example), could still be subject to man-in-the-middle alteration or other network traffic-based manipulations.
LiveCDs, which run an operating system from a non-writable source, typically come with internet browsers as part of their default image. If the original LiveCD image is free of malware, all of the software used, including the internet browser, will load free of malware every time the LiveCD image is booted.
Browsing the Internet as a least-privilege user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system.
Internet Explorer 7 added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of Windows Vista called Mandatory Integrity Control. Google Chrome provides a sandbox to limit web page access to the operating system.
Remote browser isolation
A relatively new approach (started getting a lot of attention in 2017), known as browser isolation or remote browsing, involves executing browsing sessions in a remote location outside the firewall (e.g., in the DMZ or cloud), within an isolated virtual environment such as a container. The securely rendered web content is streamed back to the local browser in real time, providing a seamless and interactive user experience, while ensuring that any malicious code is fully contained—never making its way onto the endpoint. The entire virtual environment can then be reset to a known good state or discarded altogether at the end of the session.
Secure browsing can also require no require no additional infrastructure beyond the firewall. Instead of remote browsing isolation, a secure application container can access all websites and open all files as long as they are open and utilized within the container. All unsafe content becomes locked and isolated from the host. If the host wants to move the file, it is sanitized into a safe copy using CDR. Remote users who are not using the specific network they would otherwise use in remote browser isolation are still able to open files and browse the internet without compromising their security.
Modern web browsers undergo extensive fuzzing to uncover vulnerabilities. The Chromium code of Google Chrome is continuously fuzzed by the Chrome Security Team with 15,000 cores. For Microsoft Edge and Internet Explorer, Microsoft performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files.
- Load clean software: Boot from a known clean OS that has a known clean internet browser
- Prevent attacks via third-party software: Use a hardened internet browser or add-on-free-browsing mode
- Prevent DNS manipulation: Use trusted and secure DNS
- Avoid website-based exploits: Employ link-checking browser plug-ins commonly found in internet security software
- Avoid malicious content: Employ perimeter defenses and anti-malware software
- Maone, Giorgio. "NoScript :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation.
- NC (Social Science Research Network). "BetterPrivacy :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation.
- Keizer, Greg. Firefox 3.5 Vulnerability Confirmed Archived 28 October 2010 at the Wayback Machine.. Retrieved 19 November 2010.
- Messmer, Ellen and NetworkWorld. "Google Chrome Tops 'Dirty Dozen' Vulnerable Apps List". Retrieved 19 November 2010.
- Skinner, Carrie-Ann. Opera Plugs "Severe" Browser Hole Archived 20 May 2009 at the Wayback Machine.. Retrieved 19 November 2010.
- Bradly, Tony. "It's Time to Finally Drop Internet Explorer 6" Archived 15 October 2012 at the Wayback Machine.. Retrieved 19 November 2010.
- "Browser". Mashable. Archived from the original on 2 September 2011. Retrieved 2 September 2011.
- Smith, Dave. "The Yontoo Trojan: New Mac OS X Malware Infects Google Chrome, Firefox And Safari Browsers Via Adware". IBT Media Inc. Archived from the original on 24 March 2013. Retrieved 21 March 2013.
- Goodin, Dan. "MySQL.com breach leaves visitors exposed to malware". Archived from the original on 28 September 2011. Retrieved 26 September 2011.
- Clinton Wong. "HTTP Transactions". O'Reilly. Archived from the original on 13 June 2013.
- "9 Ways to Know Your PC is Infected with Malware". Archived from the original on 11 November 2013.
- "Symantec Security Response Whitepapers". Archived from the original on 9 June 2013.
- Palant, Wladimir. "Adblock Plus :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation.
- "Facebook privacy probed over 'like,' invitations". CBC News. 23 September 2010. Archived from the original on 26 June 2012. Retrieved 24 August 2011.
- Albanesius, Chloe (19 August 2011). "German Agencies Banned From Using Facebook, 'Like' Button". PC Magazine. Archived from the original on 29 March 2012. Retrieved 24 August 2011.
- McCullagh, Declan (2 June 2010). "Facebook 'Like' button draws privacy scrutiny". CNET News. Archived from the original on 5 December 2011. Retrieved 19 December 2011.
- Roosendaal, Arnold (30 November 2010). "Facebook Tracks and Traces Everyone: Like This!". SSRN 1717563
- State of Vermont. "Web Browser Attacks". Archived from the original on 13 February 2012. Retrieved 11 April 2012.
- "Windows Rootkit Overview" (PDF). Symantec. Archived (PDF) from the original on 16 May 2013. Retrieved 20 April 2013.
- "Cross Site Scripting Attack". Archived from the original on 15 May 2013. Retrieved 20 May 2013.
- Lenny Zeltser. "Mitigating Attacks on the Web Browser and Add-Ons". Archived from the original on 7 May 2013. Retrieved 20 May 2013.
- Dan Goodin. "Two new attacks on SSL decrypt authentication cookies". Archived from the original on 15 May 2013. Retrieved 20 May 2013.
- "beefproject.com". Archived from the original on 11 August 2011.
- "How to Create a Rule That Will Block or Log Browser Helper Objects in Symantec Endpoint Protection". Symantec.com. Archived from the original on 14 May 2013. Retrieved 12 April 2012.
- "Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay: Flash Cookies and Privacy". 2009-08-10. SSRN 1446862
- "Local Shared Objects -- "Flash Cookies"". Electronic Privacy Information Center. 2005-07-21. Archived from the original on 16 April 2010. Retrieved 2010-03-08.
- Chee, Philip. "Flashblock :: Add-ons for Firefox". Mozilla Add-ons. Mozilla Foundation.
- "Pwn2Own 2010: interview with Charlie Miller". 2010-03-01. Retrieved 2010-03-27.
- "Expert says Adobe Flash policy is risky". 12 November 2009. Archived from the original on 26 April 2011. Retrieved 27 March 2010.
- John C. Mitchell. "Browser Security Model" (PDF). Archived (PDF) from the original on 20 June 2015.
- "Using the HTML5 Fullscreen API for Phishing Attacks » Feross.org". feross.org. Archived from the original on 25 December 2017. Retrieved 7 May 2018.
- "Using a Least-Privileged User Account". Microsoft. Archived from the original on 6 March 2013. Retrieved 20 April 2013.
- "How to Stop an ActiveX control from running in Internet Explorer". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
- "Internet Explorer security zones registry entries for advanced users". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
- "Out-of-date ActiveX control blocking". Microsoft. Archived from the original on 29 November 2014. Retrieved 22 November 2014.
- "Internet Explorer Add-on Management and Crash Detection". Microsoft. Archived from the original on 29 November 2014. Retrieved 22 November 2014.
- "How to Manage Internet Explorer Add-ons in Windows XP Service Pack 2". Microsoft. Archived from the original on 2 December 2014. Retrieved 22 November 2014.
- Matthew Conover. "Analysis of the Windows Vista Security Model" (PDF). Symantec Corporation. Archived (PDF) from the original on 16 May 2008. Retrieved 8 October 2007.
- "Browser Security: Lessons from Google Chrome". Archived from the original on 11 November 2013.
- "Report malicious software (URL) to Google". Archived from the original on 12 September 2014.
- "Google Safe Browsing". Archived from the original on 14 September 2014.
- "5 Ways to Secure Your Web Browser". ZoneAlarm. Archived from the original on 7 September 2014.
- "Adblock Plus Will Soon Block Fewer Ads — SiliconFilter". Siliconfilter.com. Archived from the original on 30 January 2013. Retrieved 20 April 2013.
- "Securing Your Web Browser". Archived from the original on 26 March 2010. Retrieved 2010-03-27.
- "The key to success with prevention strategies like remote browser isolation - Help Net Security". Help Net Security. 5 December 2017. Archived from the original on 29 January 2018. Retrieved 1 February 2018.
- "Contain the threat, prevent the infection - Ceedo MalwareLocker". Ceedo. Retrieved 2018-07-24.
- Sesterhenn, Eric; Wever, Berend-Jan; Orrù, Michele; Vervier, Markus (19 Sep 2017). "Browser Security WhitePaper" (PDF). X41D SEC GmbH.
- "Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)". Microsoft. 15 Oct 2017. Retrieved 31 August 2018.