Why the Browser?

Adam Maruyama

By Adam Maruyama

Commercial

Government

One of the frequent questions we get during conversations with customers and cybersecurity professionals when discussing the Garrison ULTRA cloud service is: why focus on securing the browser from malicious webcode? It’s a completely reasonable question, given that webapp API vulnerabilities, OS exploits, and social engineering attacks can also put organizations’ security at risk. But among the potential attack vectors, the web browser stands out as the point of vulnerability that is simultaneously the most critical to organizational success, the most vulnerable to attack, and the most difficult to harden. As a result, we believe that it’s important to take an asymmetric approach to the threat of malicious webcode by using hardware security principles that allow users to access the wealth of information available on the Internet while shielding them from the threats of ransomware, spyware, and other malware associated with processing web code natively.
It’s hard to debate the business value of the web browser, a protean platform that increasingly serves as the basis of business applications that were once the provenance of desktop software, including productivity (Office 365 and GSuite), IT workflow (Service Now), and customer relationship management (Salesforce). But even if we discount the rise of cloud-based webapps as a temporary trend, the web browser is the fastest and most accessible way to access a wealth of information and resources – and in an age when information advantage is the strategic advantage in business, operations, and security, foregoing the web browser and the information it provides is simply not an option.

But the multifaceted nature of web browsers and their technical function – taking publicly-available webcode off the open Internet and processing it natively on the endpoint – makes them an attractive and inherently vulnerable target for attackers. The use of open-source libraries to process much of this webcode, while a large enabler of web browsers’ high feature velocity, also provides attackers with additional visibility and opportunities to exploit browsers. Finally, the highly concentrated nature of a web browser market in which almost 90% of users were concentrated across the top three vendors – Chrome (66%), Safari (18%), and Edge (5%) – makes identifying vulnerabilities and developing browser exploits a high return on investment proposition for attackers.

The attractiveness of targeting web browsers isn’t merely theoretical, either. Google’s review of zero-days in 2023 indicates that there were 19 zero-day vulnerabilities in browsers in 2023, comprising 31% of all zero-days in end user platforms like browsers and operating systems (as opposed to enterprise technologies) and 20% of all zero-days. These included vulnerabilities exploiting a vulnerability in the open-source library responsible for processing .webp images (CVE-2023-4863) that impacted both Chromium (Chrome and Edge) and Apple Webkit (Safari) browser stacks. The pace of attacks has only increased going into 2024: in May alone, Google disclosed and patched four zero-days in Chrome. Google’s review assessed that 55% of exploits against these zero-days were developed by commercial surveillance vendors (CSVs) such as the NSO Group to enable surveillance by governments and other well-funded actors.

It’s important to note that the proliferation of vulnerabilities in the browsing stack isn’t for lack of trying or talent on the defenders’ part. Improvements to the security of Chrome that were implemented after a rash of free-after-use memory attacks to the browser in 2022 resulted in the elimination of free-after-use attacks in 2023 – a testament to Google’s commitment to a strategic approach to patching. But many of the remaining browser vulnerabilities targeted the inherently insecure JavaScript framework as well as open-source software libraries like libwebp. Developing secure versions of these frameworks could prove costly, and divergence in codebases could even cause breakages in web pages and apps that are critical to business operations. The complication, combined with the browser’s core function – taking a variety of content from the public Internet, processing it consistently, and presenting it to the user – makes securing the codebase an impossible task.

Because the browser itself cannot be fully secured – and is debatably a violation of zero-trust network architecture (ZTNA) principles – most organizations rely on compensating controls to protect themselves from malicious webcode. Starting at the network perimeter, organizations may use a combination of protective or zero-trust DNS (PDNS/ZTDNS) services, URL category filters, and endpoint and network security services (EDR/XDR/MDR) to protect themselves. What all of these have in common, however, is that something must be identified as “bad” – or at least “not good” – before the controls take effect. For example:

  • PDNS/ZTDNS only confirm that a site’s identity aligns with what it claims to be; it does not protect against malicious content on a legitimately-controlled site.
  • URL category filters generally index on content rather than security of pages, and those categories that do assess security rely on identifying “known bad” code; they do not stop users from going to established sites that host fresh zero-day code on them.
  • BDR/XDR/MDR solutions identify malicious code or behaviour on the endpoint or network and isolate it; they do not identify novel patterns of malicious behaviour or code (i.e., zero-days).

Because these solutions are reactive and rely on some indicator before activating defenses, they do not protect against the zero-days that nation-state actors – either via internally-developed capabilities for APTs or CSV-developed capabilities for others – use to compromise and surveil systems and cyber criminals use to deploy ransomware and steal data.

At Garrison, we see this as a problem that will only get worse. With AI-driven exploit development accelerating the time to weaponization for vulnerabilities, the rise of ransomware as a service (RaaS) decreasing the bar to entry for criminals, and a growing number of nation states turning to CSVs to target individuals and organizations. By using the Garrison ULTRA® hardware-enforced, cloud-hosted remote browser isolation (RBI) platform to turn browsing into an interactive video stream, we sidestep the problem of malicious code by allowing it to run on our hardware – hardware that’s regularly reset at a firmware level to a known-good-state – instead of yours. This approach uniquely removes the risk of executing malicious code that could give criminals, nation-state actors, or CSVs a foothold into your corporate systems while not jeopardizing your organization’s business outcomes. To learn more about ULTRA or to arrange a free evaluation, contact us.

About
Adam Maruyama
Adam Maruyama is a cybersecurity and national security professional and the current Field CTO for Garrison Technology. He served more than 15 years in the Intelligence Community supporting cyber and counterterrorism operations, including numerous warzone tours and co-leading the drafting of the 2018 National Strategy for Counterterrorism. During his time in industry, Adam has served commercial and government customers at McKinsey & Company and Palo Alto Networks.