Here’s some interesting piece of news, Opera 10, the shiny new version of one of the finest browsers available today has released a new version. Its slick and has tons of eye candy. One really interesting part about the new version is that it lets you start what’s known as Opera-Unite: this is basically a high-level plug-in which allows you to add more plug-ins/modules/functionality into your browser so that you can share files/pictures/music. The most interesting part though is the ability to make your browser act as a web server.
And here it comes: from my experience in how the bad guys work, limited as it may be compared to stalwarts in the industry. I think this is an immensely attractive attack vector for the malware industry.
Consider the fact that browser, almost always have flaws. Websites almost always suffer from XSS flaws which allow code injection, browser hijacking, session stealing, cookie manipulation and what not. Combine this with the fact that a lot of people still download email attachments carelessly and will click on phishing links. If you are still reading, let me throw in the fact that AVs are not a 100% accurate by any standards… not even close.
My prediction: There’s an attack coming which will exploit the Opera Unite functionality, it will be loosely based on XSS and will inject malware pages directly into a users computer and will be served up by the Opera Unite web server.
Another interesting twist, Opera now provides the ability to have what you share on your computer be listed in search engine results. So hey, if you want to infect a large number of machines, propagate malware via search engine results… this could be a good way to go. For those of you who are thinking Google’s Safebrowsing will definitely profile the bad search entries, I have two words: Polymorphism and scale.
Google does have the capability to add 6000+ bad sites to its malware hash list everday, they are probably testing 50-60 times that number anyways but hey to profile a whole mal-net based on of Opera browsers would be something.
Of course the Opera team, which is excellent, would definitely do its bit to protect its users, and hence the time window for exploitation would be short. However, problems (functionality/XSS) still remain, which can be exploited, see below.