|
Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript - sometimes with cross-site scripting (XSS) - sometimes with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities (security holes) that are commonly exploited in all browsers (including Mozilla Firefox,〔Keizer, Greg. (Firefox 3.5 Vulnerability Confirmed ). Retrieved 19 November 2010.〕 Google Chrome,〔Messmer, Ellen and NetworkWorld. ( "Google Chrome Tops 'Dirty Dozen' Vulnerable Apps List" ). Retrieved 19 November 2010.〕 Opera,〔Skinner, Carrie-Ann. ( Opera Plugs "Severe" Browser Hole ). Retrieved 19 November 2010.〕 Microsoft Internet Explorer,〔Bradly, Tony. ( "It's Time to Finally Drop Internet Explorer 6" ). Retrieved 19 November 2010.〕 and Safari〔(【引用サイトリンク】title=Browser )〕). ==Security== Web browsers can be breached in one or more of the following ways: * Operating system is breached and malware is reading/modifying the browser memory space in privilege mode * Operating system has a malware running as a background process, which is reading/modifying the browser memory space in privileged mode * Main browser executable can be hacked * Browser components may be hacked * Browser plugins can be hacked * Browser network communications could be intercepted outside the machine The browser may not be aware of any of the breaches above and may show user a safe connection is made. Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else).〔(【引用サイトリンク】 title=HTTP Transactions )〕 If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website that has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited). Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities, on the machine or even the victim's whole network. Breaches of web browser security are usually for the purpose of bypassing protections to display pop-up advertising collecting personally identifiable information (PII) for either Internet marketing or identity theft, website tracking or web analytics about a user against their will using tools such as web bugs, Clickjacking, Likejacking (where Facebook's like button is targeted), HTTP cookies, zombie cookies or Flash cookies (Local Shared Objects or LSOs);〔 installing adware, viruses, spyware such as Trojan horses (to gain access to users' personal computers via cracking) or other malware including online banking theft using man-in-the-browser attacks. Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated,〔(【引用サイトリンク】title=Web Browser Attacks )〕 but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit. Some subcomponents of browsers such as scripting, add-ons, and cookies〔(【引用サイトリンク】title=Cross Site Scripting Attack )〕〔(【引用サイトリンク】title=Mitigating Attacks on the Web Browser and Add-Ons )〕〔(【引用サイトリンク】title=Two new attacks on SSL decrypt authentication cookies )〕 are particularly vulnerable ("the confused deputy problem") and also need to be addressed. Following the principle of defence in depth, a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a rootkit can capture keystrokes while someone logs into a banking website, or carry out a man-in-the-middle attack by modifying network traffic to and from a web browser. DNS hijacking or DNS spoofing may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as RSPlug simply modifies a system's configuration to point at rogue DNS servers. Browsers can use more secure methods of network communication to help prevent some of these attacks: * DNS: DNSSec and DNSCrypt, for example with non-default DNS servers such as Google Public DNS or OpenDNS. * HTTP: HTTP Secure and SPDY with digitally signed public key certificates or Extended Validation Certificates. Perimeter defenses, typically through firewalls and the use of filtering proxy servers that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser. The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project, creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Browser security」の詳細全文を読む スポンサード リンク
|