New browser threat sneaks by traditional defences

'DNS rebinding' is a threat to corporate data

An undetectable browser exploit that bares corporate networks to attackers tops the list of the most potentially effective new attacks that have been devised by researchers seeking vulnerabilities to take advantage of, according to a study by White Hat Security.

The one attack deemed most serious is called DNS rebinding in which attackers turn victims' browsers into web proxies that do the attackers' bidding, says Jeremiah Grossman, CTO of White Hat Security who, with the help of other experts, compiled the top 10 list of new threats as he has each year since 2006.

The attack works by tricking browsers into seeking internal servers on the victim's network under the direction of the attacker, who can order it to find and send corporate data to an outside machine, Grossman says. The browser exhibits no behaviour out of the ordinary, and DNS servers are not tampered with, he says.

"It's pretty much impossible to see. It leaves no traces," Grossman says.

The deceit starts with the attacker setting up a website. When a victim tries to reach the site, the browser seeks a DNS resolution to turn the site name into an IP address. The site responds to DNS advertisements with the actual IP address of the site, but puts a very short time-to-live on the address. The victim reaches the site and the site downloads a malicious Java script to the victim's browser.

Once installed, the script issues a second request for the IP address of the attack site, and this time the site responds with an IP address of the type typically used for internal networks, so the browser essentially connects to a server on its own network, allowing a link to the attack server.

Browsers follow the principle of same-origin, which allows machines using the same host name to connect. In this case the browser has been told that the origin host name of the two servers — the internal corporate machine and the attackers server outside — is the same, so traffic between them is allowed.

Grossman cited Stanford University researchers who spend US$100 on advertising to lure users into visiting their website configured to carry out DNS rebinding and managed to compromise 100,000 machines.

Since the exploit is carried out in Java script there is no malware executable to discover on victim machines. DNS servers are not compromised, so defences against pharming don't work, he says. "DNS rebinding is really bad," Grossman says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Security IDbrowser exploit

Show Comments