Thursday, 12 May 2011

Vmware still promoting a very old "browser-appliance.1.0.0"

I was on the vmware site earlier this week, and noticed that they are still hosting a very old "browser-appliance.1.0.0". (I got this in a "promoted link" when I was looking for virtual appliances).

http://www.vmware.com/appliances/directory/80

Back in 2006, this was intended to be a "safe" virtual browser environment.

"The Browser Appliance allows users to securely browse the Internet using Mozilla Firefox. Run the Browser Appliance with VMware Player to - Protect Against Adware and Spyware and Safeguard Personal Information"

 You would use the browser in the VM, instead of your own browser, to improve your internet security:
...but it is way too old, and if you were to use this now, you are reducing your security a great deal.


Attacking this platform

I took a look at this version, from an attack perspective:
  • It is an Ubuntu 5.10, with a 2.6.12 kernel, and Firefox 1.0.7.
  • It also has no inbuilt security features, such as antivirus, anti-spyware, or script detection
  • These type of appliances have known default passwords, and it doesn't prompt you to change them
There are many known vulnerabilities against these versions, enabling complete system compromise.

If you use it, the VM can easily be compromised, and any subsequent browsing you do through it will be at risk (not to mention that; once the VM is pwned, it can be used to pivot an attack against your internal network)

I can imagine someone downloading this, (or still using this from yester-year) to do their internet banking.


vmware recommending this to me this week is craziness!

I wonder how many other problem VMs are getting promoted on the site. Does anyone clear old ones off?

Here is a more up-to-date equivalent.

http://www.vmware.com/appliances/directory/507083

However, I question whether this is a valid approach for web security. It's a kind of cheap way of running a web-security proxy, but the platform is soon going to be out of date, so the average user would have to keep replacing the VM, to get a secure version, and if they forget, they become an easy target.


Bootnote: This is a handy platform for practicing your Metasploit hacking skills, but use it "Host-only" and don't surf the web with it!

4 comments:

  1. BTW - I did report this to vmware (I do believe in "doing something" rather than just complaining) - however, vmware have not done anything or responded to my request.

    ReplyDelete
  2. When you browser the web using a VM you should never save any changes to the VM. That way you cannot be compromised for longer than a session. If you reduce your browsing in the VM to secure places you are fairly safe even for that one session, however outdated your software is.

    ReplyDelete
  3. I disagree with that. Many legitimate sites are vulnerable to XSS, and other forms of script or header injection, meaning that redirection is often possible on many sites and exploiting old browser versions is relatively trivial for a skilled attacker.

    You also have the issues of session hijacking and credential theft, and the fact that most users use the same passwords on several sites.

    Even if you only visit "one website", modern content distribution means that your browser will be getting content from many servers, and several providers (even just visiting one online email provider; Hotmail for example, I can see from a packet-trace that my browser had downloaded content from over 30 different systems, and many 3rd parties)

    Yes, it is a good idea to limit your browsing to "legitimate sites", but the above issues collectively mean that the client needs to be strong, and to be more secure the OS, browser, and plugins need to be patched up to the latest versions.

    ReplyDelete
  4. Very helpful tips information. Thanks for sharing.

    Vmware Jobs in Hyderabad

    ReplyDelete