Skip to main content

The Internet Browser - A Gateway Out or a Vulnerability In?

Every month there is a report on the market share of internet browser tools.  The big 4 (Microsoft's Internet Explorer, Mozilla Firefox, Google's Chrome and Safari on the Mac) are generally seen as taking the majority share of the browser market with regional differences in countries and continents.

As more thin and mobile devices enter the mainstream, the main application being used by the end user will likely become an internet browser.  The subtle adoption of 'cloud' providers for goods and services (thinking music, books, news, basic storage, photo's) is now embedded in the standard home users approach to computing.  If required, there could be very little actually stored locally on a users machine with everything stored, subscribed to and accessed via an internet connection.

This concept has seen one of the first browser based operating systems in the form of Google's Chrome OS.  This is basically a single application operating system aimed solely at accessing the internet, with the assumption that the use of applications, data and services will be done remotely ( - it seems like an ironic circle of computer development which has gone from centralised mainframes, client-server, PC and now back to what is effectively dumb remote machines accessing a powerful central hub, albeit that hub is now massively distributed...).

The main point though, is the internet browser is now a crucial component within the device's list of functions, making it a great attack vector for information disclosure and malicious intent.

The patch release cycle for browsers across all vendor's is probably one of the most dynamic and responsive of many applications and operating systems mainly due to the popularity of use, but also an exposed browser vulnerability can have a severe impact with regards to information disclosure (browser history, cookies, online banking, purchases, login credentials...) and the potential for full access to the users device.

The increased number of automated vulnerability scanners for public facing websites and applications, has now spawned many specific scanners at the browser level.  Qualys amongst others, provide a quick online browser checking tool, which analyses versions, patching and comparisons to known vulnerabilities.  Whilst patching and updating of browser technology at the individual or home level can be a quick and simple process, keeping browsers consistent and updated within a corporate landscape is complex and time consuming process.

The corporate environment also faces issue of training and familiarity as and when new browser releases occur which often results in a lack in deployment.

Whilst Google Chrome has taken a significant market share in the last couple of years, it has done so on the back of a simple message of being the 'fast' browser.  Whilst a good marketing initiative, it serves to illustrate that the end user wants speed, features and good looks to access newer HTML5 interactive and media laden content.  The focus on usability, speed and looks has hit all the major browser vendors, with Internet Explorer's next flagship solely being promoted on it's looks and features.

It will be interesting to see in the coming year, whether the main marketing focus shifts to security instead of playability.

As many smartphones and tablets are already the digital natives main route to the interweb, again the attack vector has a single and powerful entry point to a full plethora of user information and behaviour profiling and browser history, from devices where patch management and vulnerability scanning is not at it's most effective.

If there is one application I would patch to near boredom, it would generally be the one that accesses the internet either from a laptop, netbook or smartphone perspective.  It can however, often be something that is easily overlooked.

(Simon Moffatt)


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…