By Dan Goodin in San Francisco
23rd June 2008
User beware. Today's web browsers offer more security protections than
ever, but according to security experts, they do little to protect
people surfing the net from some the web's oldest and most crippling
Like nuclear stockpiles during the Cold War, new safety features amassed
in Firefox, Internet Explorer and Opera are part of an arms-race
mentality that leaves online criminal gangs plenty of room to launch
attacks. What's more, the new protections often take years to be
implemented and months to circumvent. Meanwhile, shortcomings that have
bedeviled all browsers since the advent of the World Wide Web go
Earlier this week, Mozilla patted itself on the back for adding a
security feature to Version 3 of Firefox that's of only marginal benefit
its users. It prevents users from accessing a list of websites known by
Google, and possibly others, to be spreading malware. Opera Software, in
a move its CEO proclaimed "is reinventing Web-based threat detection,"
added a similar feature to version 9.5 of its browser released two weeks
ago, and Microsoft engineers are building malware blocking into IE 8.
Here's the rub: According to our tests over the past week, the Firefox
anti-malware feature frequently failed to block sites compromised by one
of the most prevalent SQL injection exploits menacing the web. Outcomes
varied from minute to minute, but clicking on results returned from
searches such as this and this (we strongly recommend you don't try this
at home) led us to dozens of compromised websites even with Firefox's
gee-whiz malware protection feature turned on.
Firefox 3 does block nihao11.com and the half-dozen or so other domain
names that are referenced in the injection attack, so there is some
benefit to the feature. But its inability to flag a huge number of
websites that have been compromised shows the limits to such an
approach. Similarly, researchers from Websense report here that they
"found multiple phishing pages that still made it through" anti-phishing
mechanisms that have existed for more than a year in Firefox. Because
they're based on static blacklists based on behavior reported weeks or
months earlier, these features often fail to detect quick-moving
"These little anti-phishing things and anti-malware things, I'm not
buying them," says Jeremiah Grossman, CTO of web application security
firm WhiteHat Security. "Are we less likely to get hacked as a result of
these features? No. If I was really the evil guy, I'll send you to a
hacked up blog page with Firefox 3 and you won't have a good day."
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com