28

I know malware can be gotten by downloading and running stuff, but is there a real possibility of just viewing a webpage or clicking a link and getting one?

Assuming using only Firefox / Chrome and only the Flash plugin.

Perhaps I should rephrase the question like this: How many drive-by viruses have been discovered in the past couple of years for Firefox, Chrome, and the Flash plugin?

Anders
  • 64,406
  • 24
  • 178
  • 215
Startup1
  • 383
  • 2
  • 5

2 Answers2

25

You can lookup vulnerabilities at http://cve.mitre.org/. "CVE is a dictionary of publicly known information security vulnerabilities and exposures."

A rough search of:

  • Firefox, returns 888
  • Chrome, returns 729
  • Flash, returns 371

Further filtering of the severity of these would need to be done, but this gives an upper bound of found vulnerabilities.

http://web.nvd.nist.gov/view/vuln/search allows for the filtering based off of time period, with only CVE checkbox selected, searches of 3 years, and 3 months gives the following respectively:

  • Firefox, returns 391, 64
  • Chrome, returns 653, 80
  • Flash, returns 227, 16
Malady
  • 109
  • 4
Phillip Nordwall
  • 1,024
  • 9
  • 13
  • Thank you very much. A quick search of that site has been the best convincer. – Startup1 Jul 30 '12 at 17:56
  • 1
    This makes clear that it is possible, but it answer the question of how many viruses have been discovered. Those databases count the number of *vulnerabilities*, not the number of viruses/malware that exploit one of those vulnerabilities. – D.W. Jul 01 '14 at 16:28
18

Yes, this is one hundred percent possible:

  • Browsers are huge programs, containing script engines, markup parsers, rendering engines and even audio / video codecs. Any of these parts could have a vulnerability, which might be exploited.
  • Browers run JavaScript, which is a Turing-complete language, making it nearly impossible to analyse what it is doing ahead of time. There's a near infinite number of ways to express the same code. Obfuscation via eval makes this even harder. This also means it's ideal for dropping payloads.
  • Certain browsers also allow alternative script types, such as VB Script. This can open up futher security holes.
  • Flash is a semi-privileged plugin, which has access to some files on your system. Searching for "flash malware" on Google returns ~54 million results. The CVE database shows around 1200 unique Flash vulnerabilities.
  • You might be convinced into downloading a document (e.g. PDF) that represents an exploit against a 3rd party vulnerability. This is often used in email, where executables and scripts are usually blocked.
  • Browsers often have markup (e.g. the object tag) that is used for certain plugins. Sometimes you don't even have to have installed or enabled a plugin for it to be a security vulnerability - look at how IE6 handles ActiveX for example.
  • You might drop some personal information into a website, which is later used for a spearphishing attack, resulting in infection.
  • You don't even have to have a vulnerable browser. Accessing a website could add your IP address to a list of targets to scan, which might result in you getting infected via a remote code execution vulnerability.
  • An attacker could use HTML5 to turn your browser into a botnet zombie, without actually infecting your machine. Send your thanks to Bob McArdle for the great presentation on that one, by the way!

As Phillip said in his answer, you can read up on vulnerabilities in the CVE database, which you can search at NVD. You could also search sites like OSVDB, exploits-db and packetstorm.

Polynomial
  • 132,208
  • 43
  • 298
  • 379