Forensics in Spanish
RE: [Segurinfo] Seguridad en Browsers: ¿Quien va adelante? Feb 02 2006 02:59PM
Andres Fernando Caro Cubillos (AF Caro bancafe com co)

Buenas tardes,

En este artículo no se está tomando en cuenta la versión 1.5 de Firefox, que
soluciona algunos fallos de seguridad, incluye las actualizaciones
automáticas y mejora el bloqueo de pop-ups. También hay que considerar que
Mozilla lanza los parches de seguridad más rápido que Microsoft y estos son
cargados automáticamente en la nueva versión.

En el punto 3 del artículo se habla de eliminar la información sensible de
IE con un solo click, pero no tomaron en cuenta que en todas las versiones
de IE esta información no es borrada completamente. El truco consiste en
usar la opción buscar del menú de Inicio y realizar una búsqueda de archivos
en la carpeta "Archivos Temporales de Internet" en el directorio de Windows.
De esta manera aparecen todos los archivos que supuestamente borra el

Además IE está integrado en el Kernel de Windows y cualquier tipo de ataque
o fallo de seguridad explotado afectará completamente el sistema, lo mismo
ocurre cuando el navegador se bloquea o genera un mensaje de error. Para
empeorara las cosas Microsoft suele presentar un producto estable después de
lanzar dos o tres paquetes de servicio y múltiples actualizaciones.

Con lo expuesto anteriormente ustedes siguen creyendo que el nuevo navegador
de Microsoft será un producto seguro y confiable...


Analista II
Departamento Calidad y Seguridad Informática

Cl 28 No. 13a-15 piso 28

Tel. 5600999 ó 3411511 ext. 3670

Granbanco - Bancafe S.A.

-----Mensaje original-----
De: Jeimy José Cano Martínez [mailto:jcano (at) (dot) co [email concealed]]
Enviado el: Martes, 31 de Enero de 2006 03:58 p.m.
Para: segurinfo (at) (dot) co [email concealed]
CC: alfa-redi (at) dgroups (dot) org [email concealed]; forensics-es (at) securityfocus (dot) com [email concealed]
Asunto: [Segurinfo] Seguridad en Browsers: ¿Quien va adelante?

Estimados profesionales,

En el reciente número del Information Security Magazine, se presenta un
de las características de seguridad de los browsers mas representativos del
mercado (en sus versiones beta.. dado que a la fecha aún no se han

Internet Explorer 7.0, Netscape 8.0 y Firefox 1.0.7

Espero sea de utilidad.

Peak of Security,291266,sid42_gci1154
by: James C. Foster
Issue: Jan 2006

IE 7.0, Firefox, Netscape: One browser is at The Peak of Security. We'll
you which comes out on top.

The Web browser has evolved into one of our most important desktop
applications--and an enormous security concern. Shaken by years of one
vulnerability after another, businesses are demanding better security in the
nearly ubiquitous Microsoft Internet Explorer, or taking a hard look at
alternatives, such as the popular newcomer Firefox.

Browsers are responsible for everything from security application management
interfaces to Internet access to our brick-and-mortar bank accounts to MP3
players. Organized criminals exploit the Web to access corporate systems and
databases and steal passwords and credit card numbers from individual users.

Users have switched to the open-source Firefox in large numbers since its
release in late 2004, cutting IE's market share. Driven by the perception
it's more secure--as well as having cool features like tabbed
has garnered an estimated 8 to 11 percent of worldwide browser use. Other
browsers, such as Netscape, are barely on the radar, with less than 1
market penetration.

Microsoft's response, IE 7.0, which is still in beta (no release date has
announced), will be the latest major release in the company's four-year-old
Trustworthy Computing initiative. One version of the browser will be
for XP SP2, and another with Microsoft's forthcoming Vista operating system.
embraces Redmond's secure-by-default mantra and introduces additional

So which browser takes security to new heights? Information Security put
question to the test.

We evaluated security features of beta versions of Internet Explorer 7.0 and
Netscape 8.0, and Firefox 1.0.7 (Firefox 1.5 was released after our
was complete). Each ran in a production environment on Windows XP with SP 2.
While home-user security is crucial to maintain customer confidence in
commerce, our emphasis was on maintaining a secure browser configuration
baseline across an enterprise. We focused particularly on the flexibility of
critical configuration settings and the ability to manage them in a

We concluded that while the others may be acceptable for home users, IE 7.0
the clear choice for corporate environments. The combination of innovative
security features and--perhaps most important--IE's superior capability for
administering granular security configuration controls makes it the best
business choice.

Are They Safe?
Overall, Netscape, Firefox and IE all do a good job protecting against
phishing schemes and scripting attacks, but we found several new
that move IE 7.0 ahead of the pack. We analyzed, tested and compared the
browsers in eight key areas:

1. Scripting languages
IE 7.0 has greater flexibility in configurations that can be set to control
Microsoft languages to include ActiveX and the .Net Suite (ASP, VB and C#).

IE 7.0 alone has introduced controls against cross-site scripting (CSS/XSS)
cross-domain (XD) scripting attacks by preventing an attacker from
a user or session to an untrusted resource from within a current browser
object. We tested this feature by sending an XD attack to IE 7.0 and
attempting--without success--to redirect a user to a foreign site and carry
current browsing cookie.

Firefox fell short in site-by-site scripting configuration. It does not
you to specify down to the scripting language level what permissions each
should have--a huge Netscape and IE advantage. Netscape and IE allow you to
specify whether Java, ActiveX, JavaScript and even images should be run or
displayed on specific sites. In addition, both Java and ActiveX are disabled
default--a prime example of Microsoft's secure by default philosophy; you
designate the site as trusted before it's allowed to run these scripts.

2. SSL
In light of the known vulnerabilities and exploits of SSL 1.0 and 2.0, all
browsers support the more secure SSL 3.0 and TLS 1.0. IE 7.0 goes a step
further: TLS is enabled by default, and SSL 2.0 is no longer supported.
Netscape and Firefox both enable SSL 2.0, along with TLS and SSL 3.0, by

3. User information
All three browsers allow the user to delete potentially sensitive
information--history, off-line content (e.g., media player content in temp
files), cookies, temporary files cache, registry modifications and other
sensitive data.

Unfortunately, all this deleted information is readily accessible using
such as Undelete or ActiveWin. Deleting data may defeat the casual snoop,
don't depend on this feature for strong security. IE 7.0 has a nice feature
that permits a user to delete all "sensitive" information via the click of a
single button. Firefox and Netscape require a bit more navigation within the
browser options tab. Netscape and IE both permit you to automatically
data deletion such as browsing history.

4. Multi-threading
All three browsers feature site-parsing engines that can spawn multiple
for retrieving data and thus download faster (Firefox was the first to
integrate this feature, a key to its early popularity). The security concern
with multi-threading is the browser's ability to secure each of, say, 1,000
concurrent sessions spawned on a site. We tried to compromise individual
tunnels using man-in-the-middle attacks to inject untrusted code, but all
browsers thwarted our attempts.

5. URL Obfuscation
An offshoot of the antiphishing capabilities in all of the browsers are
ability to identify sites that may be attempting to obfuscate their URL
patterns. For instance, a malicious site that wants to get your credit card
information might launch a browser window that looks exactly like your
bank. While it might look and feel like your Acme Bank site,,
in reality, the hidden URL would have shown it was coming from the clever

IE 7.0 requires each Web site to display its URL, while Firefox and Netscape
still retain the option to hide the address bar. Additionally, IE 7.0 allows
you to limit the URL character set to the language of your choice, thwarting
hackers who use foreign characters to fool users. While the option to hide
address bar embraces user-friendliness, it limits the ability of
trying to centrally manage these configurations.

6. Pop-ups
Pop-ups are at best an annoyance, at worst a lure to malicious sites. Each
tested browser is generally effective at blocking pop-ups. Netscape's and
controls are a little more granular, permitting designated sites to allow
pop-ups and storing them as a site security property, while Firefox has a
single button to block pop-up windows. However, Firefox has a configurable
whitelist of sites that will permit pop-ups, so there's really little

Most important is the evolution of the technical controls over pop-up
mechanisms, which are launched via Web scripting languages such as ActiveX
Java. All three browsers disable new window calls that use this technique.
However, our testing revealed some mysterious and sometimes malicious
client-side applications. For example, many P2P programs surreptitiously
install a number of applications that can launch new pop-up windows from an
underlying system call. The browsers are all susceptible to this technique.

7. Passwords
Password maintenance is a serious security issue: Unencrypted, easily
passwords are prime prey for attackers. No worries on that score. All three
browsers store application passwords with AES encryption and hide the actual
characters from plain-sight view. Nevertheless, password transmission should
really be the main concern. We'd love to see the browsers notify users when
they are about to send a password in clear text over the Internet.

8. Phishing
Phishing attempts, orchestrated by organized criminals, are a major factor
identity theft and a serious threat to online consumer confidence. Using
engineering, attackers lure users to convincingly fake Web sites, usually on
hijacked servers.

All three browsers have taken first steps to help thwart phishing and alert
users that they may be on a potentially bogus site, but the jury is still
on how much they really will help.

Firefox users can download a free antiphishing toolbar from Web services
provider Netcraft (also available for IE 6.0), while IE 7.0 and Netscape
this capability in native code. All three rely primarily on a blacklist of
known phishing sites. This is helpful, but phishing sites are notoriously
moving targets--they're taken down as soon as they're discovered, and the
crooks simply move to another hijacked server.

IE 7.0 also uses a parsing engine that can potentially identify threats
based on
string patterns.

Corporate Control
No security features are worth much in a corporate environment if managers
configure and control them globally. In addition to superior security
IE 7.0 really stands out in its ability to manage configurations across the

More than Firefox or Netscape, IE 7.0 allows you to create browser policies
configurations that can be saved and leveraged across an entire
In fact, if your organization uses Active Directory, IE 7.0 is the only
choice from a management perspective.

While there's still no browser-embedded capability to centrally create
configurations based on specific users or computers, you can create
browser configurations either through your AD implementation or enterprise
imaging program.

AD is the better choice, since nearly all configuration controls--mostly
registry settings--can be captured in a .INI file. The file can be
via SMS or commercial product, as opposed to an entire disk image every time
you want to introduce new configuration settings or create specialized disk
images for select groups. Further, because IE was designed to work with AD,
can control all of its more robust configuration options through this
mechanism; the only way to manage all of the other browsers' more limited
feature sets is through disk images.

The Vulnerability Caveat
Microsoft's track record on vulnerabilities hardly inspires confidence. The
Department of Defense's NIST National Vulnerability Database lists 152
IE vulnerabilities in the last three years alone. Keeping up with patches
configuration controls, and the nagging anxiety about the next critical hole
the stuff of nightmares for security managers.

The assertion that Firefox is inherently more secure because it will have
vulnerabilities is open to debate. Since its release, 102 vulnerabilities
been reported, according to NIST. (Version 1.0 was announced in November
though pre-1.0 betas were generally available for download and scrutiny.)
Netscape had just 39 reported vulnerabilities in the last three years.

Numbers can be deceptive, though. IE is a mature product, so the continued
discovery of large numbers of vulnerabilities is a real concern. On the
hand, it can be argued that the plethora of Firefox vulnerabilities is just
initial spike, typical of new applications.

Moreover, Firefox is under the close scrutiny of the open-source community,
which is likely to uncover lots of issues early and, adherents argue, offer
fixes as well. On the other hand, Microsoft defenders will argue that as a
commercial software supplier, Redmond is obligated to address
quickly. It's typical of the open source/closed source debate, which we
presume to resolve here.

Adoption of alternative browsers is also fueled by attackers' preference for
exploiting IE's vulnerabilities because of the huge install base, especially
among businesses. Of course, the other side of that coin is that, as Firefox
becomes more popular, it's a more attractive target.

Naturally, there's no way to know what the future holds. Microsoft claims it
invested heavily in quality control and security testing, and promises that
7.0 will be more secure than past browsers.

Netscape and Firefox share common base code, so most Netscape
will impact Firefox, while vulnerabilities in new Firefox code won't affect
Netscape. Firefox 1.5 still shows its common roots with Netscape,
configuration options, parsing and cryptography code. This is in part
it is a product of open-source community development.

And none of these browsers offers iron-clad protection against sloppily
applications that leave them vulnerable to exploitation by attacks such as
stack overflows and heap corruption.

Let's just acknowledge a few solid truths: All browsers have had major
vulnerabilities and will continue to have new vulnerabilities; in the end
browsers will be confined by your network bandwidth and will be relatively
similar in their download capabilities. None of them will protect you
the next malicious code threat yet to be discovered and released. The very
you can do is protect against all known threats, trust only those few sites
that you indeed trust, and restrict all others.

IE 7.0, at least for the near term, presents a solution that will help
the desktop's browsing environment better than the competition. The real
question will come down to who's spent the time needed in security testing,
how many major vulnerabilities will be found in 2006.


Jeimy J. Cano, Ph.D, CFE
Universidad de los Andes
Bogota, D.C

Editor of "Critical Reflections on Information Systems. A systemic approach"

Este correo y su contenido son confidenciales y exclusivos para su
destinatario. Si usted recibe este mensaje por error o no es el destinatario
del mismo, por favor sírvase eliminarlo y notificarle a su originador. Así
mismo, todas las ideas y reflexiones expresadas en esta comunicación
corresponden al originador del correo y NO representa la posición oficial de
This email is intended only for the addressee(s) and contains information
may be confidential, legally privileged. If you are not intended recipient
please do not save, forward, disclose or copy the content of this email.
delete it completely from your system and notify originator.Finally, all
ideas expressed in this communication are personal comments and NOT
official position of his employer.
Para enviar sus mensajes, por favor hacerlo a segurinfo (at) (dot) co [email concealed]

Lista de Seguridad Informática - SEGURINFO
ACIS - Asociación Colombiana de Ingenieros de Sistemas
Sitio Virtual:

* Toda la información enviada a través de esta lista es de carácter
académico y
educacional, por tanto, los participantes se comprometen a usar de manera
responsable todo el material práctico y específico que en ella se publique.
En razón a los anterior, cualquier acción no autorizada que se efectúe
utilizando recursos de esta, exonera a la lista SEGURINFO y a ACIS de toda
responsabilidad en el hecho.

* Recuerde las normas de cortesia en el correo electronico en:

____________________ AVISO LEGAL ________________
Este mensaje y sus anexos son confidenciales e interesan solamente
a su destinatario. No hay renuncia a la confidencialidad o privilegio
por cualquier transmision equivocada o erronea. Si usted ha recibido

este mensaje por error, debe borrarlo en su totalidad de su sistema

y notificar de tal hecho al remitente. Cualquier divulgacion, copia,

distribucion o accion tomada por accion o por omision en relacion
a ello esta prohibida y constituye un delito hacerlo. Cualquier opinion
o consejo contenidos en este mensaje dirigido a nuestros clientes, esta
sujeto a los terminos y condiciones de los contratos vigentes con BANCAFE

y solo interesan a las partes contractuales.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus