A critical ingredient in today’s browser exploits is active content. In the modern web, active content comes in two predominant forms: Flash and JavaScript. Regardless of form, active content executes in the context of the user’s browser and enables significant attacker control and visibility into the browser’s workings and vulnerabilities. For instance, active content enables the attacker to discern memory locations (address space disclosure), influence data layout (heap spray), and dictate code generation (JIT spray)—all of which are key techniques in crafting a successful exploit. Modern endpoints have built-in defenses against simple browser exploits, but active content execution enables determined adversaries to bypass these defenses with sophisticated, multi-stage attacks. In particular, two pervasive defenses—Data Execution Prevention (DEP/NX) and Address Space Layout Randomization (ASLR)—thwart simple code injection and Return-Oriented Programming (ROP) exploits, respectively. However, with the aid of active content, an exploit can bypass both DEP and ASLR, typically by triggering a secondary vulnerability—one that, for instance, reveals the memory location of native code. The exploit can then use that code to craft ROP code sequences that execute the attacker’s bidding
Browser isolation is a technology that offers a solution to the security challenge posed by executing active content on the endpoint. It centers around the notion of an isolated browser—a web browser that loads and runs pages, including all embedded active content, inside a contained environment in the cloud with the goal of isolating any potential browser infection away from the endpoint. Menlo Security’s patented Adaptive Clientless Rendering™ (ACR) is the core technology used in the Menlo Security Cloud Platform (MSCP). In a clear departure from traditional VDI-based video streaming technology, ACR combines a web-based delivery vehicle with a greater understanding of the isolated page to simultaneously enable clientless deployment and a native user experience.