Skip to main content

The Internet Browser - A Gateway Out or a Vulnerability In?

Every month there is a report on the market share of internet browser tools.  The big 4 (Microsoft's Internet Explorer, Mozilla Firefox, Google's Chrome and Safari on the Mac) are generally seen as taking the majority share of the browser market with regional differences in countries and continents.

As more thin and mobile devices enter the mainstream, the main application being used by the end user will likely become an internet browser.  The subtle adoption of 'cloud' providers for goods and services (thinking music, books, news, basic storage, photo's) is now embedded in the standard home users approach to computing.  If required, there could be very little actually stored locally on a users machine with everything stored, subscribed to and accessed via an internet connection.

This concept has seen one of the first browser based operating systems in the form of Google's Chrome OS.  This is basically a single application operating system aimed solely at accessing the internet, with the assumption that the use of applications, data and services will be done remotely ( - it seems like an ironic circle of computer development which has gone from centralised mainframes, client-server, PC and now back to what is effectively dumb remote machines accessing a powerful central hub, albeit that hub is now massively distributed...).

The main point though, is the internet browser is now a crucial component within the device's list of functions, making it a great attack vector for information disclosure and malicious intent.

The patch release cycle for browsers across all vendor's is probably one of the most dynamic and responsive of many applications and operating systems mainly due to the popularity of use, but also an exposed browser vulnerability can have a severe impact with regards to information disclosure (browser history, cookies, online banking, purchases, login credentials...) and the potential for full access to the users device.

The increased number of automated vulnerability scanners for public facing websites and applications, has now spawned many specific scanners at the browser level.  Qualys amongst others, provide a quick online browser checking tool, which analyses versions, patching and comparisons to known vulnerabilities.  Whilst patching and updating of browser technology at the individual or home level can be a quick and simple process, keeping browsers consistent and updated within a corporate landscape is complex and time consuming process.

The corporate environment also faces issue of training and familiarity as and when new browser releases occur which often results in a lack in deployment.

Whilst Google Chrome has taken a significant market share in the last couple of years, it has done so on the back of a simple message of being the 'fast' browser.  Whilst a good marketing initiative, it serves to illustrate that the end user wants speed, features and good looks to access newer HTML5 interactive and media laden content.  The focus on usability, speed and looks has hit all the major browser vendors, with Internet Explorer's next flagship solely being promoted on it's looks and features.

It will be interesting to see in the coming year, whether the main marketing focus shifts to security instead of playability.

As many smartphones and tablets are already the digital natives main route to the interweb, again the attack vector has a single and powerful entry point to a full plethora of user information and behaviour profiling and browser history, from devices where patch management and vulnerability scanning is not at it's most effective.

If there is one application I would patch to near boredom, it would generally be the one that accesses the internet either from a laptop, netbook or smartphone perspective.  It can however, often be something that is easily overlooked.

(Simon Moffatt)

Popular posts from this blog

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

The Role of Identity Management in the GDPR

Unless you have been living in a darkened room for a long time, you will know the countdown for the EU's General Data Protection Regulation is dramatically coming to a head.  May 2018 is when the regulation really takes hold, and organisations are fast in the act on putting plans, processes and personnel in place, in order to comply.

Whilst many organisations are looking at employing a Data Privacy Officer (DPO), reading through all the legalese and developing data analytics and tagging processes, many need to embrace and understand the requirements with how their consumer identity and access management platform can and should be used in this new regulatory setting.

My intention in this blog, isn't to list every single article and what they mean - there are plenty of other sites that can help with that.  I want to really highlight, some of the more identity related components of the GDPR and what needs to be done.

Personal Data On the the personal data front, more and more org…