Tools to prevent drive-by attacks
The Client Approach
After you have secured your own web service against the injection of malware and exploit kits, the next task is to protect your clients on the network. To measure the extent of potential security problems, you first need an inventory of the browser plugins and any other Internet software. Client management systems, such as ACMP (Aagon) OPSI (UIB), Altiris (Symantec), or Empirum (Matrix42), have appropriate inventory modules that help accurately record and evaluate the software used along with software versions. These tools will help you develop and roll out a patch management policy for the affected applications without user intervention.
Another group of browser-checking tools is focused on home users or administrators who only have to manage a few computers. For example, the Anti-Botnet Advisory Center, also an initiative of the Internet industry association, eco, offers a review of the browser and the installed plugin versions. If the browser check finds outdated plugins, you can update by clicking a button. Unfortunately, this solution only really works reliably for popular plugins like Java and Flash. If you use specific plugins, such as the Citrix Receiver, you still need to take care of the update manually.
The same applies to the rather simplistic Check Your Plugins service by Mozilla [19]. The Qualys BrowserCheck [20] (Figure 3) does a better job, offering to install its own plugin optionally for a more intensive investigation. If this plugin is installed, it doesn't just identify most plugins reliably, it also offers advanced scanning methods – at least for Windows. You can check your current browser, as well as other installed browsers, and check the operating system security settings and the status of Microsoft patches. Qualys Business Edition – a version of the browser check for administrators – is also free. After registration [21], you can download an MSI version of the browser check plugin in the Settings section of the dashboard, which can be used to feed the plugin to Windows PCs from a central location. Alternatively, you can use a download URL for the plugin and a Quick Scan URL. The results of the scans are not sent to the user but displayed directly on the administrator's dashboard.
Automated Updates
Antivirus vendor F-Secure takes a different approach with its new software updater. Customers who already use the F-Secure Cloud Solution Protection Service for Businesses (PSB) [22] to manage their corporate systems can now deploy the software updater to manage computers along with the antivirus client from a central location, ensuring that no outdated browsers and plugins are used. The list of supported software [23] is quite impressive – in addition to the usual suspects, such as Java, you will find candidates like Foxit Reader and the VLC media player.
BLADE (Block All Drive-by Download Exploits) is a project in the making that was created with the support of the US National Science Foundation, the U.S. Army Research Office, and the Office of Naval Research (Figure 4). BLADE consists of a series of Windows kernel extensions to prevent hidden binary installations during a drive-by attack.
BLADE is being tested by the initiators with the most common browsers and daily emerging malware links; some zero-day attacks have apparently also been used in the past six months. According to the testers, BLADE has so far blocked 100 percent of the attacks, at least according to the results of evaluation lab, which are published regularly [24]. BLADE is not yet available, but in the next phase, a free version will be available for download.
HTML5 and NoScript
Browser extensions like NoScript or Flashblock can help prevent drive-by attacks. However, these plugins are of no benefit if they are installed in an outdated browser. Additionally, the don't really attempt to find any malicious code but simply disable features such as JavaScript or Flash. Because many sites are practically unusable without JavaScript, these tools are therefore probably more suitable for IT professionals. The upcoming HTML5 standard will certainly contribute to greater safety because plugins such as Flash are no longer required for displaying video, thus reducing the number of products with software vulnerabilities.
Another approach to client protection is not to use locally installed browsers or other Internet software. Instead, the browser is launched in an enclosed environment, like a virtual machine. As an alternative, you can use a Live medium (e.g., a Linux Live DVD or a USB flash drive) and run the browser installed there. One reason not to use Live media, of course, is the overhead of the necessary reboot and the quick obsolescence of browsers on Live CDs. Sirrix [25] offers Browser in the Box, a solution in which the browser is launched in a local VirtualBox VM. The VM is based on a hardened Debian 6 Linux with SELinux and the current Firefox browser. The single-user version is available for download free of charge; the enterprise version is only supplied in combination with a web gateway and a management system.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.