Beware The Browser-based Attack

“It’s an ongoing spy-versus-spy problem,” Randall Palm, director of IT services for CompTIA, told internetnews.com. “The better we get at stopping one attack, the better they get at exploiting other vulnerabilities.”

Of 900 organizations surveyed, 36.8% said they were victimized by one or more browser-based attack, up from 25% last year.

A browser-based attack is essentially malicious code contained within a Web page that appears harmless. The attacker uses the browser and user systems permissions to sabotage or disrupt computer functions.

A number of browser-based vulnerabilities have been exposed, many of them affecting Microsoft’s Internet Explorer. Just last week, CERT flagged a yet-unpatched flaw that makes use of Compiled Help Files (CHM).

In February, a Frame Exploit was discovered that grabs keystrokes. Microsoft last patched Internet Explorer in February against the URL spoofing exploit.

Ken Dunham, director of malicious code at iDefense, was not surprised by CompTIA’s finding; his firm has also noted a dramatic increase in malicious code delivered via Web browsers.

“This should not be a surprise to anyone in the computer security world, but may surprise some home users,” Dunham said. “With the number of successful exploits against various IE vulnerabilities in recent months it’s a huge problem.”

See the complete story on internetnews.com.