But the problem isn’t limited to the browser itself. The browser hosts mutliple add-ons and helper applications in an extremely complex runtime environment to offer the user seamless access to rich media content (PDF, webex, video streaming and so on). These add-on programs have (naturally) their own vulnerabilities. Adobe and Oracle issue frequent updates for their leading browser add-ons, Adobe Acrobat Reader, Adobe Flash Player, and Java. Recently, Microsoft announced that MMPC (Microsoft Malware Protection Center) had blocked over 6 million Java attacks in a single quarter. The problem for the enterprise is that any one of these updates may render the browser environment incompatible with business-critical applications – and it may be practically impossible to back out of the update. To avoid this situation many enterprises now freeze end-user deployments with a specific, tested Java release or service pack level of Microsoft’s Internet Explorer despite the security risks of not running the latest updates.

The winners, in this situation, are the security software vendors, continuously developing new solutions to install on the end-point platform (antivirus, antispyware, anti-malware…), each one slowing the PC down a little more, and mostly incapable of preventing an attack launched against the latest 0-day vulnerability. One way of resolving the problem would be to deploy a separate machine for each application, on every user’s desktop; isolated and correctly configured, security and performance could be optimized — for a certain cost. Fortunately for the bottom line, there’s the Virtual Browser solution.

Other new features in version 2.1 include support for VNC, complementing the already supported Citrix and TSE remote desktop environments. With this technology Virtual Browser can be deployed as a universal telecommute/mobile office environment, delivering remote access to the corporate intranet, web services, virtual desktop environments and even physical desktop systems.

Version 2.1 also offers new levels of flexibility in user interface management. A key feature of the Virtual Browser architecture is that the rendering engine and user interface are separate entities. This means the system administrator can decide what look-and-feel is presented to the user independently of the underlying browser technology and plugins.  For example, with version 2.1 the user can be presented with an Internet Explorer-like user interface while the Virtual Browser appliance is in fact executing Firefox. In the enterprise environment where the slightest change to an application UI can impact productivity as ingrained users habits are challenged, this feature can greatly facilitate application updates and migration while limiting the impact on the end-user population.

Up to now Virtual Browser (like most remote display/desktop technologies) managed video display by sequentially transfering a series of static images from the server to the client, a process which consumes an excessive amount of bandwidth, puts an excessive load on the server, and delivers a frequently unsatisfactory result for the end user (jerky films, interruptions, and the like).

This wasn’t very satisfactory for us either. We attach a lot of importance to the user experience, so we decided to take a closer look at the problem of streaming and remote display technology. Thibault, one of our R&D engineers, analyzed the situation in depth, leading to us developing and implementing two modifications to our solution which will have a significant positive impact on user of experience of video streaming:

• Dynamic selection of lossy or lossless image compression algorithms according to the image type detected (photo/graphic, static/dynamic).
• On-the-fly identification of dynamic zones (especially videos) and the generation of an MPEG streaming channel to optimise transfer, instead of transfering sequential static images.

These changes are currently under test, and we expect to roll them out with release 2.1 at the end of the month.

The McAfee report also discusses the recent growth in exploits taking advantage of vulnerabilities in helper applications and browser plug-ins such as Adobe Acrobat and Flash. And they highlight the risk of HTML 5.0 “blurring and removing the lines between a web application and a desktop application”. The need for the enterprise to isolate different web usages based on security policies will become increasingly urgent in 2010.

Virtual Browser release 1.3 delivers support for transparent authentication modes so that, for example, user authentication for Virtual Browser sessions can be based on Windows logon credentials. On the server side, Virtual Browser can now integrate ICA and RDP clients, opening up a whole new range of possibilities for enterprise deployments.

Looking ahead, the objective is to position Virtual Browser as the universal client for the Cloud Computing era. For the enterprise moving to Cloud-based solutions, Virtual Browser offers a single, centralized point of control for multi-platform access to any web-enabled or virtualized application, wherever it’s hosted. By integrating support for ICA and RDP clients on the Virtual Browser server, end users can access web applications and Citrix or TSE applications through a single, secure, multiplatform browser interface.

It’s worth remembering that even the most well-informed users can fall victim to a web-based attack. It happened to well-known security expert Gadri Evron, who unwittingly helped propagate a worm on Facebook. While Facebook reacted quickly to the attack, it’s interesting to note the propagation method was based on clickjacking rather than on XSRF as some early blog posts said.

The latest release offers improved performance, but more importantly for enterprise deployments multi-server support means that high availability and load balancing features are now available. It’s also possible to configure individual web sessions so that they are isolated on separate physical servers, optimizing network topologies and performance and further reinforcing application security.

Eagerly awaited by our most demanding users, these new features guarantee continuity of service for Virtual Browser end-users independently of the failsafe mechanisms offered by the underlying platform (the Virtual Browser server is designed for installation in VMware environment), while also improving scalability, optimizing performance when very large numbers of sessions are open simultaneously.

• Strong authentication based on X.509 certificates increases protection for the enterprise and reduces the risk of security being breached by simple password theft from a compromised terminal.
• Role-based administrator access ensure that each admin only has the authority to execute authorised tasks (eg configuration, monitoring, etc).
• An IE6 rendering engine provides support for older web-based applications, incompatible with more recent browsers.
• Virtual Browser client installations are now available for Apple Macintosh OSX and Linux platforms, in addition to the Microsoft Windows client.

Additional minor modifications have been made to improve performance and ease of use, so that Virtual Browser remains the best solution for secure web access in the enterprise.

What do we face:

• A critical vulnerability in the Flash player (at least in version 9 and 10) which can be exploited from all browsers and OS when accessing a compromised website (drive-by attack) or when viewing a malicious PDF using Adobe Acrobat Reader ;
• Both exploitation methods have already been seen in the wild ;
• No mitigation methods except removing the Flash player or some of its components ;
• Javascript desactivation will not protect against all kind of exploitation ;
• Adobe will not release security updates until July 30.

What do you do ?

• After the vulnerability in the Video Control component which is still not patched by Microsoft, it is now the Office Web Components Control which is actively exploited on Internet to take ownership of Internet Explorer by executing remode code… [Microsoft Security Advisory 973472]
• Mozilla has quickly published Firefox 3.5.1 to fix a critical vulnerability in the Javascript engine which can be used to execute remote code. Since then, a new vulnerability has been discovered but Mozilla argue that it is not exploitable, it is just a DoS vulnerability…
• Google has published in advance a new version (2.0.172.37) of Google Chrome which fix two critical vulnerabilities discovered by the Google security team (not yet public). On these two vulnerabilities, the sandbox technology used by Google is only able to mitigate one…
• Apple has fixed two critical vulnerabilities in Safari 4.0.2 : cross-site scripting, denial of service and remote code execution…