In the current world with employees working from anywhere and most business applications delivered via internet-hosted web applications, web browsers have become an employee’s digital workspace.
For better or worse, web browsers collect tons of sensitive information—including passwords stored in password managers, credit card data, and personal information. This information is valuable for hackers to sell, extort, or use to gain access to other systems.
In addition to all the data collected, vendors frequently update consumer browsers with new features. For example, Google released 12 updates to Chrome in 2023, while Microsoft released 12 Microsoft Edge updates in the same year. This high velocity of code churn can add vulnerabilities that attackers could exploit.
A total of 296 vulnerabilities were reported in Google Chrome in 2023. During the same period, six vulnerabilities were reported in Microsoft Edge and 41 vulnerabilities in Apple Safari.
Many of these vulnerabilities will persist until threat actors exploit them or someone reports them. As long as these vulnerabilities remain undiscovered, they are always available for exploitation. Even with regular browser updates, end users will always be exposed to unknown or zero-day vulnerabilities.
In 2023, Google fixed eight zero-day vulnerabilities:
- CVE-2023-2033: Type confusion in V8
- CVE-2023-2136: Integer overflow in Skia
- CVE-2023-3079: Type confusion in V8
- CVE-2023-4762: Type confusion in V8
- CVE-2023-4863: Heap buffer overflow in WebP
- CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx
- CVE-2023-6345: Integer overflow in Skia
- CVE-2023-7024: Heap buffer overflow in WebRTC
Let’s take an example of the latest zero-day vulnerability, CVE-2023-7024. This high-severity heap buffer overflow in the WebRTC component could enable a remote attacker to escape the sandbox and execute arbitrary code on the host system.
Once hackers get remote access to the Chrome browser, they can see the user’s browsing history, most visited sites, and login credentials, among others. Furthermore, malicious extensions can download malware to establish a backdoor to maintain persistence or redirect traffic to an exploit server.
There are multiple ways that hackers can exploit browser vulnerabilities. The following are just some examples:
- Drive-by downloads. Simply loading a webpage initiates the download of a malicious payload. End users don't have to click on anything, press download, or open a malicious email attachment to become infected. Drive-by downloads usually take advantage of an unpatched vulnerability in the browser.
- Exploit kits targeting browsers. Hackers can send phishing emails with exploit kits. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can then exploit an unpatched vulnerability in the browser. Take an example of the Magnitude exploit kit that targeted CVE-2021-21224, and CVE-2021-31956 in the browser to escape the Chromium sandbox.
- Meddler-in-the-browser. This is a form of a meddler-in-the-middle attack where attackers compromise a web browser by inserting themselves into the communications channel between two trusting parties. Adversaries can take advantage of security gaps or manipulate inherent browser functionality to change content, modify behavior, and intercept information.
The Palo Alto Networks browser-based product offerings reduce your organization's risk from browser-native attacks. Prisma Access Browser has unique security hardening and controls, and Remote Browser Isolation (RBI) for Prisma Access can help completely protect you from zero-day browser vulnerabilities.
Three Ways RBI for Prisma Access Minimizes Zero-Day Browser Vulnerability Impact
1. Keep the browser up to date.
We continually update our RBI for Prisma Access production browser to ensure there is a minimal gap between it and the latest available Chromium build. Our production browser is often an advanced and more secure build than the browser many employees use at any given point in time.
2. Sanitize the browser environment.
Malicious actors often exploit plugins and browser extensions to execute vulnerabilities like the ones described above. Bad actors use plugins and browser extensions to deliver malware to the end user and even skim and steal data that the user enters on webpages, without their knowledge.
We keep our RBI for Prisma Access production browser environment sanitized by not allowing the installation of any third-party extensions or plugins. We even prevent extensions and plugins running on local browsers from accessing or interacting with the isolated webpage when an employee uses RBI for Prisma Access.
3. Provide a true no-code execution environment.
An isolated browser session mitigates even unidentified vulnerabilities.
RBI for Prisma Access operates under the Zero Trust principle that unknown websites contain dangerous content and need to run in a containerized and isolated cloud environment. That way, no code ever reaches the end user’s browser, preventing security incidents and data breaches that could originate from drive-by downloads, phishing-based exploit kits, and meddler-in-the-browser attacks, among other threats.
RBI for Prisma Access
Web browsers have become the most important business applications to access the internet and business-critical web applications. However, zero-day vulnerabilities in web browsers continue to pose significant risks from threat actors who can execute remote code, steal data, or crash systems.
Find out how RBI for Prisma Access seamlessly embeds Zero Trust web isolation to protect against these attacks, while simultaneously providing a near-native web browsing experience.