Understand the Web browser threat–Report
ETH Zurich has released a comprehensive report called Understanding the Web browser threat: examination of vulnerable online Web browser populations and the “insecurity iceberg”:
“In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site.
“Attacks against Web browsers depend upon malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.) [1, 2]. Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007 [3]. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers.”
“In the face of a more hostile environment, most commercial vendors ofWeb browser technologies have made progress over recent years in making their products more resilient to common security threats – dropping insecure features and strengthening others. Their development life-cycles have matured and typically encompass multiple levels of secure design and vulnerability testing, as well as new processes for promptly handling externally discovered flaws. As such, most updates and patches for existing Web browser technologies (both the core browsing engine and third-party plug-ins) increasingly incorporate new and vital security fixes – a trend that is expected to continue in to the future.”
“For years the software industry has promoted one security best practice over all others: always use the most recent version of the installed software and instantly apply the latest patches. With today’s hostile Internet and drive-by download attack vectors, failure to apply patches promptly or missing them entirely is a recipe for disaster; exposing the host to infection and possibly subsequent data disclosure or loss.”
“Table 2 shows the usage share of the latest major browser version within each type of Web browser (e.g. the share of IE7 within the IE population). There were 1,408 million Internet users worldwide end of March 2008 [20]. Globally only 59.1% (832 million users), make use of the latest major version of their preferred Web browser to navigate the Internet. This is an estimate for the upper bound for the global share of the most secure browsers in use. However, 576 million users surfed the Internet without using the latest major browser version of their preferred browser.”
The study authors also recommend updating plugins and establishing a “best before” dating system for software.
For the whole study:
http://www.techzoom.net/publications/insecurity-iceberg/index.en
Info via Free Government Information blog:
and the Librarian.net blog:
http://www.librarian.net/stax/2338/is-your-librarys-browser-safe/
http://www.librarian.net/stax/2338/is-yo…
Posted by Rich
