A patched browser - false feeling of security or a security utopia that actually exists?

Kaspersky Lab's recently released "Global Web Browser Usage and Security Trends" report sparks several important questions from a security perspective:

• Does the fact that (according to the study and third-party metrics services) Google's Chrome has the largest market share, make the Internet any safer?
• Does it really matter if Chrome users get the latest updates delivered to them, in an attempt by Google Inc. to shorten the "window of opportunity" for a malicious attacker to take advantage of the security vulnerabilities that could be exploited in the old version of the browser?
• Is Chrome the most secure browser on the market?
• What's the current situational reality in respect to the most commonly used tactics by cybercriminals attempting to infect a targeted host, and is a version of a particular browser relevant to their practices?

Let's start from the basics.

Years ago, cybercriminals took advantage of the fact that, due to usability issues, browsers were basically shipped insecure by default in an attempt not to ruin the Web experience of the user. Back in the day, cybercriminals still relying on inefficient isolated exploitation attempts, could not achieve the "malicious economies of scale" evident across the entire cybercrime ecosystem in 2012, as far as client-side exploitation is concerned.

It all changed with the releases of the RootLauncher Kit, the WebAttacker Kit, MPack and IcePack, which revolutionized the systematic client-side exploitation of end points, shifting the attention of cybercriminals to the average Internet user still living in a "free adult content leads to viruses" world.

Although the shift towards client-side exploitation has been evident ever since the continues release of numerous Web malware exploitation kits throughout 2012, social engineering tactics continued to proliferate, potentially undermining the built-in security mechanism implemented in any browser. A socially engineered user will manually bypass any "security warning screen", or may even click further to get what he clicked for originally, even though he received a clear warning for the maliciousness of a site in question, through, for instance, Google's SafeBrowsing initiative. Which on the other hand mitigates a certain percentage of  the risk of getting exploited through client-side vulnerabilities, but as we've already seen in the latest version of the Black Hole Exploit Kit 2.0, cybercriminals are adapting to the process by cloaking the malicious content, and not displaying it to Google's crawlers.

Just how prevalent are social engineering driven attacks nowadays? According to Microsoft's Security Intelligence Report for 2011, the most popular malware propagation tactic is the one that requires user interaction. Although the report is emphasizing on the rather insignificant activity in client-side exploitation, it excludes the fact that over the past couple of years cybercriminals have been combining social engineering and client-side exploitation in an attempt to increase their visitor-to-malware-infected-victim rates.

Yet another important aspect of a browser's security that has the capability to bypass the built-in security mechanisms, are browser extensions. On numerous occasions we've seen successful campaigns relying on bogus browser extensions for Firefox and Chrome, which don't even attempt to exploit a particular browser specific vulnerability besides socially engineering the user. Although Google reacted to this trend in July 2012, social engineering attacks still remain possible. 

What are cybercriminals emphasizing on in 2012? Massive client-side exploitation, or social engineering driven malicious campaigns? Not surprisingly, on both. However, despite OS/Software specific Patch Tuesdays, cybercriminals don't tend to exploit zero day flaws, instead, they exploit outdated vulnerabilities in third-party applications and browser plugins, leaving a lot of users with fully patched browsers with a false feeling of security.

Are average Internet and corporate users actually patching their third-party applications and browser plugins in general? Not even close.

According to publicly obtainable data, patched vulnerabilities remain the primary exploitation vector for cybercriminals to take advantage of. During the time the data was gathered (2011), 37 percent of users browsing the Web with insecure Java versions and 56 percent of enterprise users using vulnerable Adobe Reader plugins, the majority of which were exploiting vulnerabilities in Adobe's products, followed by Sun's products.

Running Chrome due to its built-in secure by default sandboxing technologies, running Firefox due its compatibility with NoScript, running Internet Explorer due to is acclaimed invincibility to social engineering attacks, or running Opera or Safari due to their small market share making it -- theoretically and practically -- a less valuable target for cybercriminals to attack, only mitigates a certain percentage of the risk of getting infected with malware, and are only part of the Defense-in-Depth concept.

What do you think? Does a fully patched browser offer total security, or does it basically mitigate only a certain percentage of the risk? Which browser are you currently running? Is it the latest version? Do you feel secure with it, or is it giving you false feeling of security, and you know it? When was the last time you checked whether you're running the latest version of your browser plugins, and third-party software, or are you still obsessed with Patch Tuesdays as the corner stone of ensuring your security online?

TalkBack!

Find out more about Dancho Danchev at his LinkedIn profile.