The Internet Browser - A Gateway Out or a Vulnerability In?

Every month there is a report on the market share of internet browser tools.  The big 4 (Microsoft's Internet Explorer, Mozilla Firefox, Google's Chrome and Safari on the Mac) are generally seen as taking the majority share of the browser market with regional differences in countries and continents.

As more thin and mobile devices enter the mainstream, the main application being used by the end user will likely become an internet browser.  The subtle adoption of 'cloud' providers for goods and services (thinking music, books, news, basic storage, photo's) is now embedded in the standard home users approach to computing.  If required, there could be very little actually stored locally on a users machine with everything stored, subscribed to and accessed via an internet connection.

This concept has seen one of the first browser based operating systems in the form of Google's Chrome OS.  This is basically a single application operating system aimed solely at accessing the internet, with the assumption that the use of applications, data and services will be done remotely ( - it seems like an ironic circle of computer development which has gone from centralised mainframes, client-server, PC and now back to what is effectively dumb remote machines accessing a powerful central hub, albeit that hub is now massively distributed...).

The main point though, is the internet browser is now a crucial component within the device's list of functions, making it a great attack vector for information disclosure and malicious intent.

The patch release cycle for browsers across all vendor's is probably one of the most dynamic and responsive of many applications and operating systems mainly due to the popularity of use, but also an exposed browser vulnerability can have a severe impact with regards to information disclosure (browser history, cookies, online banking, purchases, login credentials...) and the potential for full access to the users device.

The increased number of automated vulnerability scanners for public facing websites and applications, has now spawned many specific scanners at the browser level.  Qualys amongst others, provide a quick online browser checking tool, which analyses versions, patching and comparisons to known vulnerabilities.  Whilst patching and updating of browser technology at the individual or home level can be a quick and simple process, keeping browsers consistent and updated within a corporate landscape is complex and time consuming process.

The corporate environment also faces issue of training and familiarity as and when new browser releases occur which often results in a lack in deployment.

Whilst Google Chrome has taken a significant market share in the last couple of years, it has done so on the back of a simple message of being the 'fast' browser.  Whilst a good marketing initiative, it serves to illustrate that the end user wants speed, features and good looks to access newer HTML5 interactive and media laden content.  The focus on usability, speed and looks has hit all the major browser vendors, with Internet Explorer's next flagship solely being promoted on it's looks and features.

It will be interesting to see in the coming year, whether the main marketing focus shifts to security instead of playability.

As many smartphones and tablets are already the digital natives main route to the interweb, again the attack vector has a single and powerful entry point to a full plethora of user information and behaviour profiling and browser history, from devices where patch management and vulnerability scanning is not at it's most effective.

If there is one application I would patch to near boredom, it would generally be the one that accesses the internet either from a laptop, netbook or smartphone perspective.  It can however, often be something that is easily overlooked.

(Simon Moffatt)