Baddies prefer Firefox and Opera
Paul Royal from security firm Purewire has analysed which browsers are being used by the administrators of exploit websites. He was trying to learn about the preferences of those hackers who deliberately exploit security vulnerabilities in browsers for their own nefarious purposes. It will be no surprise to readers of The H to learn that Firefox was the most popular browser, since the Mozilla browser already accounts for over 60 per cent of our readership. What is surprising, however, is that Opera, with a mere three per cent share of the global market, is the browser-of-choice of 26 per cent of exploit operators. Even amongst our readership the Scandinavian browser has no more than a nominal presence of around three to four per cent.
Upon closer examination, the statistics do not claim to be particularly representative, since Royal's information was gathered from just 15 different sites. More intriguing than his findings, however, are Royal's methods. He put JavaScript code into the data that the browser sends to the web server when users visit the site. If the application used to display website statistics was not careful enough to filter it out, the code simply became embedded. When the web masters viewed their logs, their browsers executed the code. Royal deliberately chose sites pushing the LuckySploit and UniquePack exploit kits, which evaluate the referrer, but which have rather inadequate filtering. The web masters' browsers then involuntarily sent identifying data to a server under Royal's control.
This security problem has been under discussion for a number of years. It is known as persistent cross-site scripting because the JavaScript code is stored on the server. It is particularly dangerous when it succeeds in smuggling the code into log files, since code can then execute using the security context of the administrator, and even steal his authentication cookies.
Incidentally, The H's associate in Germany noticed the trick eight years ago. In the aggregate browser statistics for heise Online in April 2001, a reader left the following browser identification:
Mozilla/4.0 (compatible; MSIE 5.5) <script>alert('hi you');</script>
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
