Wednesday, January 30, 2019

Secure Translations - Old Browser Support - Part 7 of Many

Is your service provider stopping old or unpatched browsers from using their application? Is your Language Service Provider delivering secure translations? Let us start with a browser support test. Open Google Chrome, go to your service provider web application and press Ctrl + Shift + J if you are on Windows/Linux or Cmd + Opt + J if you are on MAC OSX. When the Inspector screen shows up click on the three dots menu button on the right and click on More Tools, then on Network Conditions. Scroll to User Agent section, deselect "Select automatically" and pick for instance "Internet Explorer 7" as shown below:

Did you get a page stating that your browser must be updated? No? Then your service provider is not rendering secure services because it is supporting an old unsupported browser. Repeat this process for all user agents to verify that your service provider is delivering secure services. If you are using a Language Service Provider (LSP) that fails this test then they are not delivering secure translations to you.

Up until now (2019-01-30) there are over 100 reported vulnerabilities affecting Internet Explorer. Previously, in 2018 there were over 2000 Internet Explorer reported vulnerabilities. Six years ago I started supporting only the latest version of any browser including Internet Explorer and in that post you can see several issues related to security and cost associated with delivering software that supports insecure browsers.

There is a fundamental issue with Internet Explorer. Microsoft decided to embed it in the Windows Operating System, and that was a bad decision for two reasons: Exploits are closer to make a bigger impact in the affected system and upgrading the browser usually means that the user must also upgrade the Operating System. Therefore I would say that if Microsoft really wants to promote the use of Internet Explorer as a secure browser, then they should separate it from the Operating System and upgrade it automatically as soon as a critical flow is detected. Until then I would say use one of the alternative browsers in the market. I personally recommend Chrome just because of the tremendous investment in security that Google has put behind that browser.

The ENISA Threat Landscape Report 2018 reveals how serious IE issues are:
The trend of web browser based (drive-by) exploit-kits is continuing. According to Malwarebytes spring and summer report, the majority of exploit kits were observed in Asia. This might be related to the continued use of Internet Explorer (Japan, South Korea) in this part of the world. Apart from known browser type exploit-kits, researchers observed an increase in drive-by downloads labelled as “pseudo exploit-kits”. These type of exploit-kits typically miss a solid infrastructure and often result from a single malicious software developer/actor copy and pasting from leaked or POC-type exploits
In the topic of browser type exploits, Internet Explorer (CVE-2018-8174) and Flash (CVE-2018-4878) have been the most weaponised vulnerabilities for this type of web-based attacks
Even Edge is problematic, and Microsoft has announced its intent to use the Chromium project for their browser. Hopefully they will completely remove the browser from the OS. Until then I personally suggest to avoid using any Microsoft Windows supplied by default Browser. This will also make it cheaper to build web applications as the IE and Edge render issues do not need to be addressed.

This is the 7th post on my Secure Translation series, and this time I am discussing Old Browser Support related threat.

As usual, let us use our simple yet effective quantitative risk management framework to analyze this threat.
  • Threat: Companies love to cast a wider net for which they tend to support any browser, even well known compromised versions.
  • Asset: Web applications and all assets they handle.
  • Vulnerability: Users behind old browsers will be compromised. These users are accessing company resources. Computers controlled by criminals can pentest these applications without being noticed, escalate privileges, access other users data and beyond.
  • Risk: The impact of supporting an old compromised browser is high, only limited by the number of vulnerabilities that a logged in user can find. The likelihood of this happening is also high because usually exploited machines will be plenty of malware that hackers can control remotely. Therefore the risk is high.
  • Safeguard: Do not grant access to any browser with vulnerable versions in your application. Force users to download non embedded browsers like Chrome which is without a doubt the safest browser in the planet at the time of this writing. Check browser support for absolutely all service providers like your LSP's online Translation Management System (TMS). Reach out to them to make sure they update their applications. An LSP that allows access to any of their services from an insecure browser cannot provide secure translations. While it is OK to cast a wider net in your corporate website be aware that marketing related forms could be a target for criminals. What will be a serious mistake is to allow old browsers to interact with the service. As explained in this post, change your user agent and try your current LSP with it and if they support an old version of a given browser be aware that they cannot provide secure translations.

In the next post I analyze the risk related to lack of training and in particular lack of internal hacking drills that truly educate employees on cyber-defense practices.

You can follow the "Secure Language Translations" series in this blog, on linkedIn, Twitter or Google+. My objective is to educate executives and managers but also to help engineers in reducing the organization risk through sound security measures.

No comments: