Vulnerabilities in Web Browsers

Dhruwajita Devi, Dhrubajyoti Pathak, and Sukumar Nandi

Department of Computer Science and Engg.Indian Institute of Technology, Guwahati, India

{dhruwajita.devi,drbj153,sukumar}@iitg.ernet.in

Abstract. Web browsers are software applications that are used to ac-cess information from the World Wide Web. With their wide usage andincreasing popularily, it has become one of the major targets for exploita-tion for the hackers. A small mistake during design, implementation andconfiguration of a software code will leave it vulnerable to intrusions.In this paper we give a taxonomy of vulnerabilities of windows Internetexplorer and Mozilla Firefox browsers based on methods employed forattack generation and consequences of such exploits. We survey the lat-est vulnerabilities in the Internet Explorer and Mozilla Firefox browsersand version of browsers they affect. An analysis of each group is alsogiven and remedial measures to be taken is also discussed.

1 Introduction

Web browsers are the intermediary applications between a user and the worldwide web. Understanding of browser vulnerability requires the knowledge ofarchitectural design of browsers. Basically a browser is a software or softwareapplication program which is used for retrieving information resources on worldwide web. It consists of three main parts : i) controller ii) client program andiii) interpreter.[7] The controller handles the other two parts i.e client programand interpreter. A controller takes inputs from the standard input devices anduses a client program (http. ftp, telnet etc.) to access a document. As soon asthe document is accessed, controller uses an interpreter (html, cgi or java etc.)to display it on the screen . Hence, it acts as an interface between a user andthe world wide web. Vulnerability is the weakness or design flaw of a softwareprogram which can be used by an attacker to degrade system performance or toget unauthorized access by exploiting (exploit is a piece of computer programor chunk of data etc.) it. Likewise, a web browser vulnerability is a flaw in thebrowser software which can be used by an intruder to exploit the respectivebrowser.

In this paper, we have done a thorough survey on the existing vulnerabilitiesin windows Internet Explorer and Mozilla Firefox browsers and have classifiedthe same. Section 2 describes the architecture of the popular web browsers.Section 3 describes their vulnerabilities in detail and finally we conclude withour recommendations in the last section.

2 Vulnerabilities in Web Browsers

2 Architecture of Web Browsers

Before going to the details of vulnerability we are giving an overview of archi-tectural foundation of Internet Explorer and Firefox.

2.1 Internet Explorer

Internet Explorer has a modular architecture[1] which enables the reuse of itscomponents and developers to enhance and extend the browser’s performance.

The main components of IE’s architecture are shown in the Figure. 1.IExplore.exe : It is a small component that is dependent on the other main

components of IE . The main job of this component is rendering, navigation,protocol implementation,and so on.

BrowseUI.dll : This dll is referred to as the “chrome” and provides the userinterface to IE. It includes the IE address bar, status bar, menus, and so on.

ShDocVW.dll : It is a core component of IE and is a 32bit dll, protected bythe OS. Since IE is integrated with Windows OS, ActiveX Control interfaces arehosted by this dll. It provides navigation and history. Microsoft Word, MicrosoftExcel, Microsoft Visio, and many non Microsoft applications also expose activedocument interfaces so they can be hosted by it.

MSHTML.dll : It takes care of HTML and Cascading Style Sheets (CSS)parsing i.e., it is responsible for rendering web pages. It is also a 32bit dll.MSHTML.dll exposes interfaces to host, as an active document. MSHTML.dllmay be called upon to host other components depending on the HTML docu-ment’s content.

Figure 1. Architecture of Internet Explorer Figure 2. Architecture of Mozilla Firefox

Vulnerabilities in Web Browsers 3

UrlMon.dll : It provides functionality for MIME handling and code download.WinInet.dll : Windows Internet Protocol handler. It implements the HTTP

and FTP protocols along with cache management.

2.2 Mozilla Architecture

User Interface : The User Interface layer is the upper layer of the browser whichprovides setting up configuration of the browser, handling the visualization ofthe web pages, web page bookmark and saving options. The User Interface con-sists of two sub layers – User Interface and Cross Platform Front End(XPFE).XPFE is a development tool based upon XML and allows to develop differentMozilla application such as Firefox, Thunderbird. Most part of Mozilla Firefoxare written in XUL(XML User interface Language), HTML and CSS.[2][3]

Gecko: Gecko consists of a browser engine and rendering engine. The browserengine acts as a high level interface to the rendering engine, provides differentbrowser action like Back, Forward, Reload and Stop along with different errormessage. The rendering engine comprises of various components :

HTML Parser : It parses the HTML document and generates the layout forweb pages.

XML Parser : It parses the XML document which is responsible to displayin the user interface.

JavaScript Interpreter : It interprets JavaScript.Content Model : It arranges parsed web page data based on Document Object

Model.Image Loader : It is responsible for loading images in the web page.Style System: It parses the CSS data in the document retrieved.Frame System: It designs the frames from the data of Content Model’s DOM

elements and create the visual layout of the web page.Graphic Model : The graphical interface provides primitive drawing and native

window method of the host operating system.Necko: Necko in Mozilla is a network component consisting of networking

libraries. Necko is responsible for all network communication, security and therepresentation of different format of data. It comprises of the following parts: Ap-plication, URI Object, Network Service, Protocol handler, Protocol connection,File/Socket Transport, NSS.

NSS library provide communication support of different application in crossplatform. It also provides implementation of Secure Network communicationsuch as SSL, S/MIME and other Internet Security Standards.

XML parser : It is used to parse XML documents like HTML, MathHTML,SVG, RDF and XUL. In Mozilla Firefox XML parser is based on Mozilla Expatparser which is included in Gecko.

JavaScript Interpreter : This component executes the JavaScript code em-bedded in a webpage. It includes SpiderMonkey which is a C implementationof JavaScript. In Mozilla Firefox JavaScript interpreter is strongly included inGecko.

4 Vulnerabilities in Web Browsers

Data persistence :The Data Persistence component manages user data in apersistent and secure manner.

3 Vulnerabilities in Web Browsers

In this section, we classify the vulnerabilities that exist in Internet Explorerand Mozilla Firefox based on the impact of the exploit and its symptoms. Wegroup the vulnerabilities into 4 categories as CrosssiteScripting, Denial of Ser-vice, Buffer Overflow and Remote Exploitation attacks. Each of these classeshave been discussed in detail in the next 4 subsections.

3.1 Cross-site Scripting (XSS) Vulnerability

The main cause of cross site scripting vulnerability is dynamic web pages. What-ever web pages are generated by the web server, it is up to the client browserto interpret the page. If it is a static web page it will not be a easy job forthe attacker to inject something malicious in the page because the server willhave the full control over how the client browser will interpret it. But in caseof dynamic pages server does not have full control over it. So, it leaves behindan opportunity for the attacker to inject some malicious code which can be de-tected neither by the server nor by the client browser interpreter[10]. Therefore,client browser will interpret it as a legitimate page and will access the link ofthat page though it is infected[11]. This is how cross-site scripting takes place. Itis also known as XSS. Stealing information through Browser Vulnerability willalso belong to this category. It involves Internet Explorer 7 on all versions ofWindows XP; It does not affect IE 8. However, IE8 running in Windows Vista(not SP1) is vulnerable to this attack, if its Protected Mode is turned off.[6] XSSscripting attack via an embedded SVG document is one of these vulnerabilitiesexist in Mozilla Firefox.Mozilla firefox 3.0.x[15] before 3.0.18 and 3.5.x before3.5.8 are affected with this vulnerability but it is fixed in Firefox 3.6, Firefox3.5.8, Firefox 3.0.18.[20]

3.2 Denial-of-Service (DoS) Vulnerability

The main cause of DoS vulnerability in web browsers is infinite looping inJavaScript[8]. And as there is no limitation on windows a JavaScript can openon the monitor. Taking advantage of this feature, a hacker can inject maliciouscode to open the window repeatedly. It creates a DOS attack on the victim ma-chine. This attack prevents legitimate users from accessing information from aserver or from some other machine. When a user clicks a malicious link using abrowser the attacker flood it with responded web pages, as a result the browserhalts[11]. This attack is possible in IE 6/7/8 according to a recent experiment on2010/01/18 having platform Windows XP SP3 English and Windows 7. Firefoxversion 3.5.x before 3.5.8 are affected but fixed in Firefox 3.6, [19] Firefox 3.5.8.

Vulnerabilities in Web Browsers 5

Mozilla Firefox Document.Cookie Path Argument Denial of Service Vulnera-bility is prone to this kind of vulnerability having version 2.0.0.2. Web WorkerArray Handling Heap Corruption Vulnerability with verson 3.5.x.

3.3 Buffer Overflow Vulnerability

Buffer overflow vulnerability occurs due to boundary checking error. If the buffertakes the user supplied input which is greater than the buffer size, there willbe a buffer overflow vulnerability. In IE this bug takes advantage of the way ithandles long string written in JavaScript code[9]. As a result the browser crashes,potentially compromising malicious code. Heap based vulnerability say for e.g.the IFRAME vulnerability” or the ”HTML Elements Vulnerability belong tothis category.[14] Internet Explorer 6.0 on Windows XP SP1 (fully patched) andWindows 2000 (fully patched) is vulnerable. Firefox version 3.0.x before 3.0.15and 3.5.x before 3.5.4 are affected. Fixed in Firefox 3.5.4, Firefox 3.5.4.[19]

3.4 Remote Code Execution or Memory Corruption Vulnerability

Most of the browsers are vulnerable to remote code execution and memory cor-ruption. Some of the recent vulnerabilities of this type that are exist in thesebrowsers are listed below:

HTML Object Memory Corruption Vulnerabilities This vulnerability isassociated with a pointer of a deleted HTML object. Intruder can use the pointersof deleted objects to run arbitrary code[12]. It is due to incorrectly initializedmemory and improper handling of objects in memory. This remote exploit tookplace in December 2009 and January 2010 during Operation Aurora[5]. It isalso called Useafterfree vulnerability .The famous Aurora attack belongs to thiscategory.

Uninitialized Memory Corruption Vulnerability and HTML Rendering Mem-ory Corruption Vulnerability are also same as Object Memory Corruption Vul-nerability. These vulnerabilities exist when IE accesses an object which is notinitialized correctly or has been deleted[16]. Intruder may take advantage of thisvulnerability to exploit the browser if a user visits a web page which is specif-ically crafted. Successful exploitation may result in gaining the same privilegesas the current logged on user. Based on the user privileges, an intruder couldinstall programs. She can view or change or delete data; or can create her ownaccounts with full rights.

Race Condition Memory Corruption Vulnerability The cause of thisvulnerability is a bit different. The way IE accesses an object that may have beencorrupted due to a race condition may invoke its existence[16]. Its Exploitationand the consequences are similar to the HTML Object or Uninitialized memorycorruption vulnerability.

6 Vulnerabilities in Web Browsers

Memory Corruption Vulnerability When IE manages a long URL in cer-tain situations, this type of vulnerability exist[13]. Whatever vulnerabilities arementioned upto now in this category, exists in windows versions i.e. IE5/6/7/8of windows 2000,2003,XP, Vista,7 respectively are affected with this vulnerabil-ity[16].

Post Encoding Information Disclosure Vulnerability An information dis-closure vulnerability leaks sensitive information. It occurs while submitting datato the server. Exploitation may occur if a user visits a web page which is specif-ically crafted to take advantage of these vulnerabilities[16]. Successful exploita-tion of this vulnerability could result in an attacker viewing content from thelocal computer or another browser window in another domain or Internet Ex-plorer zone. This is also called HTML Element Cross-Domain Vulnerability. IE5/6/7 are affected by this vulnerability[18].

Microsoft Internet Explorer iepeers.dll Remote Code Execution Vul-nerability This vulnerability is related to iepeers.dll which is Microsoft InternetExplorer library. Internet Explorer 6 and 7 are affected by this vulnerability,[17]while IE 5 and 8 are not affected. The vulnerability exists due to an invalidpointer reference being used within Internet Explorer. In certain conditions whenan invalid pointer tries to access an object which is already deleted, it leads tothis vunerability. This may result in remote code execution. As of now a patchis not currently available.

Mozilla Firefox WOFF-Based Font Decoder Integer Overflow RemoteCode Execution Vulnerability This vulnerability is due to an integer-overflowerror in WOFF decoder which is the abbreviation for Mozilla Web Open FontsFormat.[19] WOFF is a simple compressed file format for fonts. This decoderis included in Firefox 3.6[20] or later. The way the WOFF decoder handles thesize of tables which are specified in the font file an integer overflow vulnera-bility may exist. This error could result in a buffer overflow vulnerability on asubsequent memory allocation. A remote attacker who is able to supply a mali-cious WOFF file could exploit this vulnerability (buffer overflow). Failed exploitattempts will result in denial-of-service conditions. Mozilla Firefox Cross Docu-ment DOM Node Movement Remote Code Execution Vulnerability is also sameas this vulnerability.

Mozilla Firefox OnUnload Memory Corruption Vulnerability v2.0 and MozillaFirefox ’TraceRecorder::traverseScopeChain()’ Remote Memory Corruption Vul-nerability with v3.6.2 belong to this category. Both allow an attacker to executearbitrary code in the context of the user running the affected application.

Mouse Click Event Hijacking Vulnerability in IE and Mozilla also belong tothis category which could allow a remote attacker to write arbitrary files to thelocal file system.

Vulnerabilities in Web Browsers 7

4 Conclusion

In this paper, we have proposed a taxonomy for the Web browser exploits andhave discussed some of the vulnerabilities existing in Microsoft’s Internet Ex-plorer and Mozilla Firefox browsers. It is evident that every loophole in the de-sign and implementation of the software system leads to various security threats.Hence it is recommended to have safe progrmming practices and keep the systemupto date with the latest patches. Also, the end users should be aware of thesecurity issues while using the web browsers and they should make it a practicenot to click on suspicious links and avoid using untrusted download sources.

References

1. Internet Explorer Arcitecture: http://msdn.microsoft.com/enus/library/aa741312%28VS.85%29.aspx

2. Mozilla Architecture http://plg.uwaterloo.ca/ migod/papers/2005/icsm05webBrowserRefArch.pdf

3. http://www.mozilla.org/docs4. http://blogs.technet.com/security November 27, 20075. NHS Information Governance: Technical Security Technology Bulletin: Microsoft

Internet Explorer Security Vulnerability 979352 Aurora Department of HealthInformatics Directorate January, 2010

6. http://www.betanews.com/article/Yet-another-crosssite-scripting-vulnerability-affects-IE7-on-XP/1210961484

7. http://www.articlesbase.com/software-articles/browser-architecture-290712.html8. http://everything2.com/title/Web+browser+denial-of-service+attacks9. Sung-Whan Woo, Omar H. Alhazmi and Yashwant K. Malaiya, An Analysis of the

Vulnerability Discovery Process in Web Browser,Proceedings of the 10th IASTEDInternational Conference, November 2006

10. Vinod, Anupam and Alain Mayer, Security of Web Browser Scripting Lan-guages:Vunerability,Attacks and Remedies,January 1998

11. Mike Ter Louw, Jin Soon Lim, V. N. Venkatakrishnan, Enhanching Web BrowserSecurity Against Malware Extensions,2008

12. Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov, javaScript Instrumenta-tion for Browser Security,January 2007

13. Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and NagendraModadugu, The Ghost In The Browser Analysis of Web-based Malware, 2007

14. http://www.kb.cert.org/vuls/84216015. http://xforce.iss.net/xforce/xfdb/5636316. http://www.msisac.org/advisories/2010/2010-023.cfm17. http://www.securityfocus.com/bid/38615/info18. http://vil.nai.com/vil/content/vul50943.htm19. http://www.mozilla.org/security/announce/20. http://www.securityfocus.com/bid/38298