San Francisco -- Threats against browsers are getting more sophisticated and branching out into such exotic areas as gaming, experts told attendees at RSA Conference 2008.

New attacks from games and virtual-world Web sites can deliver bot-like control of browsers to attackers, said Ed Skoudis, a security consultant with Intelguardians, speaking at RSA. All that's needed is for the infected image of an avatar to appear. "The character walks into view of the screen, and I take over the box," he said.

Compromised browsers can act as a stage to launch further hacking of computers, Skoudis said. An attack could shut off corrupted machines' keyboard and mouse control, making it more difficult to stop. Or a compromised browser could escalate a machine's network privileges, and even change time stamps in registries to mask the attacks from later forensic investigation, he said. (Compare forensics tools.)

Browser attacks can be layered so an infected site might divert a browser to another site that barrages it with a broad spectrum of attacks, seeking vulnerabilities to take advantage of, said Rahit Dhamankar, head of security research for TippingPoint Technologies.

Such Web-based attacks can even be more effective than individuals banging away at machines, Dhamankar said. At a recent hacking contest, participants tried to compromise laptops running Vista, Mac and Ubuntu Linux operating systems for an entire day without success. The next day those same machines were allowed to browse the Internet and became infected by Web sites they visited, he said.

Phones with browsers are subject to similar hijacking, Dhamankar said, and he has seen vulnerabilities found in specific phones posted for sale on the Internet.

The vulnerabilities extend to applications that plug into or integrate with browsers, such as flash readers. "They become a large attack surface," said Michael Montecillo, an analyst with EMA attending the conference.

Attacks are carefully crafted, Montecillo said. For instance, a criminal seeking to take over the machines of wealthy people might hack the Web site of a well-heeled church in an affluent community so it downloads malware to vulnerable machines that connect with it. "Such a site exploit might go unnoticed for a long time," he said.

Whitepapers

• Getting in Compliance With Government Data Regulations By Leveraging Online Security Technology
• How to Offer the Strongest SSL Encryption
• Maximizing Site Visitor Trust Using Extended Validation SSL
• Seven Steps to Reducing your Security Risk
• The Latest Advancements in SSL Technology
• Vulnerability Management For Dummies

View more SECURITY whitepapers

Webcasts

• Mobile Data Security
• Best Practices for Deploying WAN Optimization for Disaster Recovery
• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• The self-managed network

View more SECURITY special reports