Web Browser Vulnerability Study

A new paper on web browser security has been released by researchers from Google, IBM and CENL (the Computer Engineering and Networks Laboratory). The paper is entitled “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the ‘insecurity iceberg’” and can be viewed here.

The paper puts some data behind the well-known risks associated with web browsers, and how the browser has become increasingly targeted as an infection vector. Unlike traditional attacks that would need to remotely connect to a vulnerable host (server), browser vulnerabilities are exploited when the user visits a malicious website.

The vulnerabilities in the browser are expansive, affected by each rendering technology (interpreter/built-in like JavaScript or plug-in like Flash). An estimated 637 million people are not using the latest & most secure browsers, and thus are vulnerable to these attacks.

According to the research, the following percentage of users were using the latest browser version:

• 83.3% Firefox (38 million not on latest)
• 65.3% Safari (17 million not on latest)
• 56.1% Opera (5 million not on latest)
• 47.6% Internet Explorer (577 million not on latest)

I am not surprised by the figures, although I’d be interested to see a breakdown by business vs. consumer users. I think the level of security knowledge is quite low among consumers, particularly those who use the default Internet Explorer browser. Many users may not know to, or know how to, upgrade their browsers. Such upgrades require manual intervention, something that immediately hinders the security of the browser. Given also the threat that “trusted” sites pose to malware, no end to the issue is in sight.

The study is very thorough in its analysis of browser vulnerabilities, and in recommendations to stem the issues. You can read more here.

Via eweek ; image: microsoft clipart ; Tags: web browser, browser, security, it security, web security, firefox, IE, internet explorer