Is "Safe Browsing" all I need to do to stop malware?
BLUF: No safe browsing practices are a good start but even trustworthy websites can have malware.
Chances are someone at some point has told you that you don't need an antivirus if you practice "safe browsing". If you go to www.reddit.com/r/techsupport you'll see this come up almost anytime someone asks a question about malware; however, this isn't true at all. Today I'm going to discuss three different ways that legitimate websites can still infect your computer with malware.
Introduction: Term Definition
Before we begin with this let's define some terms.
Safe browsing is the concept of only visiting websites that are considered normal legitimate websites. Under the concept of "safe browsing," you might not visit something like www.gravitywall.net because it's not a well-known website. While I take great efforts to mitigate the issues we'll list here if you're judging solely by the concept of how well known something is you wouldn't visit this site. (For reference: I use Google Sites to avoid hosting my own code and having to deal with security patches, I use Disqus to host comments and avoid XSS, and I don't run ads to avoid malvertising.)
There's no doubt that the word legitimacy is going to ruffle some feathers when talking about companies like Facebook, Reddit, and Google; but we're not talking about moral legitimacy. For the concept of legitimacy, we're talking about nonrepudiation. When you go to www.google.com you know definitively who you're dealing with. It's Google; there's no questioning that. When you visit www.gravitywall.net you don't really know who you're visiting. I simply don't have the history that Google does so there could be questions on the legitimacy of my site.
This concept is what most people use to "validate" a site as "safe" to visit or not. If they don't recognize it then they don't visit it.
Now that that's out of the way lets discuss why "Safe browsing" is not a foolproof way to keep your computer from getting a virus.
Domain jacking/Supply Chain attacks
This is probably the most common concern people know about. A website could be high-jacked but an unsavory actor and used to serve malware. We saw this back in 2017 with CCleaner, Asus in 2019, and even some website builders. Even legitimate websites like Google aren't necessarily immune to this as the human component plays a part. In 2015 Google forgot to pay their domain registration fees and ownership of google.com was bought by someone. Fortunately, this guy was responsible and sold it back to Google (for way less than it's worth) but image the repercussions that could have come from this. Asides from making a boatload of money off advertising, this guy could have loaded malware on the #1 most visited website in the world. He had an instant ability to serve malware to billions of computers. If you're verifying the safety of a domain by the legitimacy of you aren't safe from supply chain attacks.
Now I want to clarify that these types of attacks are less frequent than the next two but they are still possible.
Cross-Site Scripting (XSS)
I want to clarify one thing upfront. Malvertising is not the same thing as Ad malware. Another common thing that people talk about when discussing "safe browsing" is "don't click on things". While that's certainly good advice it's not what we're talking about. We all know what ad malware is; You're browsing your favorite hub of adult entertainment and an ad pops up telling you that your Flash is out of date worried that you won't get your fill and will miss out on the surprise finish you quickly click the ad to download the Flash update. Except that update wasn't really from Adobe and now you have a trojan. That's ad malware; malvertising is something else completely.
Imperva has a pretty great article describing the different vectors of malvertising.
The same with the other examples even "legitimate sites" have served these malicious ads. Again according to Imperva (seriously go read that article; it's very insightful) major websites including The New York Times Online, The London Stock Exchange, Spotify, and The Atlantic have all had this issue.
The thing that separates this from other forms of compromise is that the website really has no control over it. With Domain Hijacking and Supply Chain Attacks, the website hosts can make sure their systems are patched and up to date (looking at you Equifax). With XSS the web host needs to properly sanitize input so that scripting code isn't trusted.
With Malvertising the only thing the website host can do is to not run ads. Most web site creators need ad revenue to keep the website running. Turning off ads would kill their revenue stream. The only option these web creators have is then to trust in the ad providers to properly validate their ads; something even Google isn't fully capable of doing (although they're better about it.)
Safe browsing practices are a good first step when trying to protect your security online, but they're not enough to truly keep you safe. You should always use an Anti-Virus in conjunction with safe browsing practices. Thankfully Windows Defender is free.