There is a 0.02-0.6% likelihood that malicious URLs will successfully attack Internet Explorer 6 (SP2) — the unpatched version, says security researcher Christian Seifert.
The local arm of the global Honeynet Project, which Seifert leads, has recently done some research around how to stay clear of attacks, looking at, for example, whether patching really works and if there are some areas on the web that are riskier than others.
The Honeynet Alliance used a client honeypot running Windows XP and an unpatched version of IE6SP2. Over three weeks, the team inspected 340,000 URLs from five different content categories — forums, adult sites, music sites, news sites and hacker sites. The research material included previously defaced and vulnerable sites, misspelled URLs, advertising and spam links and known bad sites.
The results showed that there was a 0.02-0.6% likelihood of URLs being able to successfully attack IE6, said Seifert, speaking at Computerworld’s Security Briefing in Auckland last week.
Not surprisingly, the research showed that you are more likely to be attacked when clicking spam links and visiting hacker sites or adult sites, he says. The risk of being attacked at an adult site was ten times the risk on a news site, says Seifert.When it comes to adult content, 0.6% of URLs are likely to be malicious and able to successfully attack the browser used in the Alliance’s experiment, he says.
“So consider, if you browse 1000 URLs — not servers — of that category, we encountered six malicious URLs. However, other categories, like news items, were on the lower end of 0.02%.”
Seifert’s team then ran all the URLs classified as malicious through a patched version of IE6 and this time there were zero successful compromises, says Seifert. But users are still not safe, he warns. Unpatched vulnerabilities — recent examples are the VML vulnerability and the ANI vulnerability — are still a threat.
So, patching really does work, says Seifert. He strongly recommends patching quickly, and to patch not only the operating system but also plug-ins and non-browser applications.
Seifert gave organisations some additional recommendations on how to avoid cyber attacks.
“Use client applications with non-administrative privileges,” he says. “Use personal firewalls that restrict outbound traffic and use a non-mainstream browser with immediate patching.”
Applying a blacklist of bad sites is also a good idea, he says.
And if you are really eager, investigate the URLs that users access using a client honeypot, or using the free URL assessment service that the Honeynet Alliance provides on its website, he says.
The Honeynet Alliance also inspected 30,000 adult content URLs, using IE, Firefox and Opera, to determine if any of the browsers were safer. The results showed that IE was more targeted than the other two, probably because IE — as the most common browser — provides a bigger market for cyber criminals, says Seifert.
The client honeypot identifies malicious servers by interacting with them using a dedicated virtual machine and monitoring any state changes on that box, says Seifert.
“If a new file appears in the start-up folder we know that that website is malicious,” he says.