Home Internet browser vulnerability and user security
Local News

Internet browser vulnerability and user security

Contributors
business
(© Gajus – stock.adobe.com)

Vulnerabilities of any browser often get a broad resonance, giving rival critics a reason to declare the browser unsafe for use. As an illustration, Internet Explorer Hydraq (Aurora) vulnerability was a topic for discussion at the beginning of 2010. The main reason is that Google employees became victims of hackers. The latter used a particular flaw.

A vulnerability is a significant security failure that can lead to malicious code entering and significant data breach. Antivirus and antispyware programs are designed to neutralize it if someone asks, “what is TotalAV or any other antivirus about?” In this regard, one should remember that HIPS class defensive systems (the combination of firewall and application-level attack blocker) most successfully resist vulnerabilities of a 0-day.

Interestingly, Internet Explorer is far from leadership in terms of the number of detected security issues. Opera, Firefox, Chrome, Safari are not free from zero-day vulnerabilities as well. Only browser developers can fix them. Until the update appears, the user has solely to rely on other protection options.

Edge, Chrome and Opera vulnerability

Security researchers recently discovered a vulnerability that could allow attackers to bypass content protection policies (CSPs) on websites to steal user data and inject malicious code.

The detected security flaw got the identifier CVE-2020-6519 and was discovered in browsers based on the Chromium engine.

They include Opera, Chrome, and Edge for Windows, Mac, and Android operating systems. Over a billion people use these browsers in the world. For the example of Chrome, it is worth noting that only versions starting from March 2019 are vulnerable (version 73 and older).

The problem was fixed only in Chrome ver. 83, which was released in July 2020.

Nonetheless, to exploit the vulnerability, the attacker will need to gain access to the server, and therefore it received a score of 6.5 out of 10 (moderately dangerous). To exploit the vulnerability, a hacker must gain access to a web server. This is typically done using a phishing attack or brute force.

After getting an opportunity to change JavaScript codes, the attacker must add the frame-src and child-src attributes to JavaScript to bypass the CSP.

Contemporary security flaws

The Internet security researchers presented a report on the state of modern web browsers based on the study of the use of the leading browsers by 1.4 million users worldwide.

The main result is that almost a third of all web browsers contain critical vulnerabilities:

  • Microsoft Internet Explorer and Edge just over 40%.
  • Google Chrome slightly less than 40%.
  • Mozilla Firefox 35%.
  • Opera 34%.
  • Safari less than 30%.

It is necessary to note that the discovered vulnerabilities give cybercriminals the ability to remotely access and control users’ systems.

This allows them to track their network activity, and also help intercept and steal personal information, including sensitive data. The main problem isn’t even with the browsers themselves. Their developers respond to detected vulnerabilities quickly enough by releasing the necessary updates.

Plugins (additional software modules from third parties) are responsible for most of the vulnerabilities found. Among the most vulnerable plugins, can be named Shockwave from Adobe, Java from Oracle, and Quicktime from Apple.

What is the safest browser?

If we talk exclusively about browser vulnerabilities, then one thing is clear: to get the safest browser, it must be updated automatically and has a reliable antivirus/security program as some insurance.

If your antivirus software fails, there is still a chance to minimize the damage through Windows security technologies. For example, Internet Explorer runs in Protected Mode when User Account Control is enabled. This means that the browser and processes it launched cannot modify existing registry settings and files. In other words, the operating system is more resistant to infections.

In that case, the likelihood of getting problems due to the 0-day and similar vulnerabilities is much lower than in an outdated browser. The number of weak points does not play a unique role, especially since security flaws in browsers are closed more or less quickly. However, it would be wrong to assess browser security by their vulnerabilities only.

The attacks are directed not only at them but also at the add-ons (plugins), which sometimes are essential for surfing the web.

Story by Nathan Collier

Contributors

Contributors

Have a guest column, letter to the editor, story idea or a news tip? Email editor Chris Graham at [email protected]. Subscribe to AFP podcasts on Apple PodcastsSpotifyPandora and YouTube.