Uncovering the Top 3 Browser Vulnerabilities

Survey the browser security experts and they are full of cheery news: “Most modern browsers are very good,” said Steve Santorelli, a leading expert with Team Cymru, an Internet security research firm.

The three leading browsers by market share — Internet Explorer (around 45 percent), Firefox (a tick under 30 percent), and Chrome (about 15 percent) — “are at par, pretty much the same, and very impressive,” said Mandeep Khera, CMO at Cenzic, a developer of security tools.

“It is hard to say one browser is more secure than the others,” added Dave Jevans, founder and chairman of IronKey, a Sunnyvale security firm, and also chairman of the Anti-Phishing Working Group. “There have been a lot of improvements in browser security; they are quite good.”

What is key, said Khera, is that nowadays “the browser developers are fixing vulnerabilities as fast as they are reported. That is very encouraging.”

It is also a change from past behavior when oftentimes many weeks would pass before browser developers issued patches for publicly disclosed vulnerabilities — a time during which cyber criminals could try to beat the software developers and, sometimes, the crooks won.

So the experts award plus marks all around to the major browser creators but hold the applause. Cheery as that top line news is, there is a dark underbelly of deeply worrisome concerns especially when, nowadays, the browser has emerged as the single most used application on most computers.

Top 3 vulnerabilities

No.1: Santorelli fingers the first massive browser-related vulnerability: “People who are using old browsers are in danger. If your browser is three years old, you are at high risk.”

New browsers are top-drawer, old browsers definitely are not. A first step in any security program is active roll-out of browser updates. There just is no safety in old browsers, many of which simply were not very secure to begin with. Upgrading to the latest Microsoft Office probably is not as critical to most companies as upgrading to the latest browser.

No.2: The next huge vulnerability: “Plug ins,” said Khera. New browsers are increasingly bullet-proof but, warn the experts, their plug ins — from QuickTime to Java — are the target of criminals. “The plug-ins too need to be updated,” said Khera.

Just about any plug in is potentially susceptible, said Jevans, who added to the list: “Flash and PDF readers also are highly vulnerable.”

The only cure is continuing reminders to users to mind the nagging update alerts from plug-in developers.

No.3: Mobile. “More people are surfing from phones and, tablets, but the browsers are missing many of the security features found on desktop browsers. You are more vulnerable on phones and tablets than on PCs,” said Jevans. Worse: anti-virus and similar programs for tablets and smartphones remain in a primitive state and deployment, too, lags. That creates a huge tempting target for criminals.

Bottom line: mobile browsers too need to be kept updated and, say the experts, users need to be reminded that the browsers running on most tablets and smartphones simply do not have the built-in protections found on the browsers running on PCs.

A big browser question: are they all created equal? Do they deliver similar protections? Much as the experts say the big three are comparable in the safety they deliver, but they also foot note those comments: Chrome, particularly, although it may have the smallest market share of the big three, now is the target of “a lot of the malware we are seeing,” said Jevans. He added that “Google knows security” and the company has been quick to react to announced vulnerabilities but, as Chrome’s market share grows, there inevitably is more interest in attacking it.

What about browsers such as Safari (6 percent market share) and Opera (3 percent)? “If you use a lesser known browser, all bets are off. They can have a lot of vulnerabilities,” said Santorelli.

“Safari particularly has lagged,” said Jevans. “Apple just is not a security company.”

Add it up and the good news is that a late model browser with updated plug-ins delivers unparalleled protection to users but only if those users take the time to update.

Robert McGarvey – As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation’s leading publications―from Reader’s Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain’s New York, and Fortune Magazine.

Robert McGarvey
Robert McGarvey
Robert McGarvey is an eSecurity Planet contributor.

Top Products

Related articles