Blog

Browsers are a perpetually permeable attack surface. In 2024, new critical and high severity vulnerabilities have been continuously found in Google Chrome. Is your blue team prepared to quickly identify a breach in Chrome or other web browsers being used across your organization? 

The sheer number of vulnerabilities affecting Chrome is staggering. At the start of July, over 50 critical or high severity vulnerabilities have been reported so far in 2024 and more are surely on the way. Several of these are tracked as actively exploited by CISA KEV. Also, since many popular modern browsers including Microsoft Edge, among others are built on the Chromium browser engine, the scope of these vulnerabilities go beyond Google Chrome to impact almost all users on the internet today. The Packetlabs blog has previously discussed how alternative browsers that use Chromium "under the hood" may fall behind with Chromium security updates, making them even more vulnerable.

Number of vulnerabilities disclosed monthly in Google Chrome by severity

These known vulnerabilities pose significant risks to internet users and organizations relying on browsers for their daily operations and organizations must take measures to ensure all available updates have been applied. However, when building browser specific security controls, it's important to remember that even unknown "zero-day" vulnerabilities are still lurking in even the most up-to-date browser.  

Also, browsers are not only susceptible to direct exploitation when a user visits a malicious website, but are the number one vector used in social engineering attacks as well. Malspam and phishing attacks are often used to steal credentials, and can even be used to steal MFA tokens from unsuspecting users. 

In this article we will review some best practices for hardening browser security in 2024 and review some more advanced measures you can take to close the browser security gap and monitor against exploitation of yet undiscovered zero-day vulnerabilities. 

11 Fundamental Web Browser Best Practices In 2024

By now, we have all heard the standard Internet security advice: always install updates promptly, only visit sites you trust, inspect the lock in the browser URL bar to ensure HTTPS is encrypting your communication, don't reuse passwords on multiple sites, and always, always use MFA for critical web applications. 

In this article we will focus on some less commonly known browser settings that can be adjusted and other measures for increasing browser security and privacy when browsing the Internet. Some of these items below apply to all browsers equally, while others may be available in only one browser or another.

• Clear Cookies And Data After Each Restart: Latent web-cookies can be used in session hijacking attacks, to spoof an authenticated connection and access an account. Clearing the browser’s cache prevents these from being available to attackers who may gain access to a system and install InfoStealer malware. The browser's history and auto-fill cache can also be configured for auto-erase but some convenience is lost at the expense of security. 

• Use A VPN On Untrusted Networks: On untrusted networks, every device between a client system and destination resource (also known as the server in the client/server architecture model) could be a potential Adversary in the Middle (AiTM) point to compromise the connection and steal data including sensitive credentials or inject code to launch attacks against the browser. By using a secure and trusted VPN users can better ensure their data is protected against intermediary devices that could attempt to break the  SSL/TLS encryption to steal data. 

• Disable The Chrome V8 Engine: The Chrome V8 engine, while powerful for JavaScript execution, has been the subject of numerous recent memory corruption and remote code execution vulnerabilities. Disabling it can protect against such exploits, although at the cost of slightly reduced speed in JavaScript-heavy sites. Note that this mitigation only applies to Chrome, while Firefox uses its own JS rendering engine known as SpiderMonkey and Safari uses JavaScriptCore.

• Install An Ad Blocker: Another way that malicious code could enter into the browser is via malvertising. By blocking ads from being rendered in the browser, defenders can prevent potential browser exploitation and many social engineering attacks that could be embedded by rouge advertising code. 

• Enable Strict HTTPS Settings: All major browsers can enforce strict HTTPS settings that forces the browser to only connect to websites with a secure HTTPS connection. This reduces the risk of man-in-the-middle attacks and ensures data integrity and encryption over the network.

• Block Third Party Cookies: Blocking third-party cookies enhances privacy by preventing tracking companies from collecting information about your browsing habits. This helps mitigate risks associated with behavioral tracking and targeted advertising. Google has promised to remove support for 3rd party cookies altogether, but these plans have been repeatedly delayed. 

• Remove Trust For Questionable CAs: Not all Certificate Authorities (CAs) maintain the same level of security and integrity. Recently in the news, Google announced it will remove support for the Entrust CA due to poor cybersecurity hygiene. Each major browser honors a slightly different group of Certificate Authorities (CAs) and only Firefox allows the CA trust cache to be directly modified. By manually auditing trust from questionable CAs, you can also safeguard against malicious entities that might get their certificates erroneously trusted by a browser, thereby averting Adversary-in-the-Middle (AiTM) attacks and data interception.

• Keep Your Password Manager Outside Of the Browser: Password managers typically use stronger encryption than browsers built in password storage, and have additional features like random password generators and security auditing for reused or weak passwords. However, while some password managers also offer built-in MFA token authentication it's important to note that this also creates a single point of failure where a stolen master password can lead to unauthorized account access that would otherwise be prevented by a mobile app MFA authenticator.

• Avoid Untrusted Extensions: Only install extensions from trusted sources or directly from the browser's official web store. Untrusted extensions can contain malicious code that compromises your browser's security, steals personal information, or injects ads into web pages.

• Ensure Secure DNS Is Required: Configuring your browser to use Secure DNS (DNS-over-HTTPS) prevents DNS hijacking and spoofing attacks by encrypting DNS queries. This makes it harder for attackers to redirect you to malicious websites by tampering with DNS responses.

• Periodically Power Cycle The Device: Regularly restarting your device can clear out the RAM, terminating any processes that may be running unintentionally or maliciously in the background. This simple act is the subject of an NSA's advisory for mobile devices, but applies to desktop devices as well. Restarting a device can disrupt certain types of malware that only run in memory.

Advanced Measures For Hardened Web-Browser Security

Here are some more advanced measures for real-time monitoring of browser security and security assessments that can benefit overall security related to social engineering that could take place via the browser. 

• Use Browser Isolation Technology: Browser isolation technology separates browsing activity from the underlying system, running it in a secure and potentially - a remote environment in the case of Remote Browser Isolation (RBI). This technology prevents any malicious code in a web page from executing on the user’s device, effectively containing and neutralizing threats before they can cause harm. It is particularly useful in protecting against zero-day exploits which can be purchased on illegal and grey markets and drive-by downloads.

• Use EDR To Detect Browser Exploitation: If your browser has been compromised by malicious website content, or a AiTM attacker, advanced cybersecurity products such as Endpoint Detect and Response (EDR) technology can provide increased security by detecting a compromised browser application when it attempts to execute attacker supplied code in memory, or spawn child processes to further exploit of the underlying host. 

• Conduct Purple Teaming Exercises: Purple teaming involves both the offensive (red team) and defensive (blue team) approaches collaboratively to better detect security breaches. By simulating real-world attacks and testing defensive responses, Purple Teaming Assessments help organizations to identify weaknesses in their security posture and improve their detection and response strategies. This proactive approach helps ensure that security teams are better prepared to handle all forms of new and evolving threats - including browser-based attacks.

• Use A Trusted Threat Intelligence App: Many security products and even browser extensions can analyze the domains or contents of web pages you visit to provide real-time threat intelligence. By alerting you about domains that have been flagged for malicious content, you can avoid potentially harmful sites and prevent security breaches. This proactive monitoring is essential for staying ahead of threats, especially those involving phishing and malware distribution sites.

• Network Booting Systems With Secure Baseline: Using network booting from a secure, immutable baseline can significantly enhance security by ensuring that devices start with a clean state free of malware every time they are started. This method prevents the persistence of any malicious software that might have been introduced in a previous session. It's particularly effective in environments where endpoint integrity is critical, such as in financial institutions or sensitive government operations. By centralizing the management of boot images, administrators can also easily apply security updates and configurations, ensuring all networked systems adhere to the latest security protocols and hardening standards.

Conclusion

The browser is a perpetually vulnerable attack vector for both software exploits and social engineering. In 2024, the prevalence of vulnerabilities in the Google CChromium engine underscores the importance of rigorous browser security practices. This article outlines some fundamental browser hardening essentials as well as advanced techniques like browser isolation and EDR systems to combat sophisticated threats like remote code execution and social engineering attacks.

These combined strategies help to form a comprehensive defense for browser focused activities, ensuring safer internet use amidst rising cyber threats.