February 17, 2009

 

Your Browser Wears No Clothes
Why Fully Patched Browsers Remain Vulnerable
by Michael Sutton
Sponsored by Zscaler

Abstract

Gone are the days when installing the latest security patches and avoiding questionable web sites meant a safe web browsing experience. Today, attacks regularly require no client side vulnerabilities whatsoever and leverage reputable web properties to attack unsuspecting visitors. Modern attacks combine social engineering with intended browser functionality to develop frighteningly effective attacks. It is becoming commonplace to see attacks leveraging popular social networking sites such as Facebook, MySpace, Twitter, etc. While a handful of attacks take advantage of vulnerabilities within the sites themselves, most take advantage of the open nature of such sites. A driving principal for so-called web 2.0 sites is to not build a site for users, but rather allow users to build the site themselves, via user generated content. This fact that has not been lost on attackers who take advantage of this open structure to host malicious content designed to target visitors to the site. As servers become increasingly locked down, attackers are shifting their attention to end-users. A fundamental challenge in developing a successful client side attack involves encouraging victims to visit a malicious site, a challenge that is trivial if that attack can be hosted at an already popular destination. This talk will study a variety of recent attacks that succeeded against fully patched browsers. We will also discuss what can be expected from attackers going forward and what enterprises should be doing to protect against such attacks.

About Michael Sutton

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the R&D arm of the company.

Prior to joining Zscaler, Michael was the Security Evangelist for SPI Dynamics (acquired by HP) and a Director at iDefense (acquired by VeriSign) where he led iDefense Labs. Michael is a frequent speaker at major information security conferences; he is regularly quoted by the media, has authored numerous articles and is the co-author of Fuzzing: Brute Force Vulnerabilities, an Addison-Wesley publication. Michael holds degrees from the George Washington University and the University of Alberta.

February 17, 2009 6:30 PM

Radio Free Asia Conference Room

2025 M St. NW – Street Level

Washington DC

Please RSVP mail if you plan to attend.