Browsers that are not updated when necessary can carry security vulnerabilities created from coding errors and third-party applications, warn market players who advise browser makers to actively entice users to keep their browsers updated with "automatic update" function and campaigns.
The role of the browser has shifted significantly and while current market offerings are more secure, the risk of vulnerabilities has shifted to plugins and third-party applications, Craig Spiezle, president of Online Trust Alliance (OTA) told ZDNet Asia.
A recent OTA study found that more than 60 percent of users in the U.S. and Canada used outdated browsers, while the remaining 40 percent used current versions of browsers available in the market. "Current" offerings include current versions offered by browser makers and the most recent versions which support automatic security updates from the vendors.
Corey Nachreiner, senior network security strategist of WatchGuard Technologies, said all software can contain security vulnerabilities due to mistakes in the coding process, and Web browsers often suffer from various memory-related vulnerabilities that hackers may then exploit such as buffer overflow flaws.
When a Web browser suffers from such faults, visiting a specifically crafted site can "trigger the flaw" and allow attackers to stealthily install malware on computers when they visit these phishing sites, Nachreiner said in an e-mail.
Jonathan Wong, Internet Explorer lead at Microsoft Asia-Pacific, noted that, sometimes, vulnerabilities are not inherent in the browser itself but introduced when users download plugins.
Many third-party programs "put their hooks" into a Web browser when the wrong site is visited, Wong said. Programs such as Adobe Reader, Apple QuickTime and Skype are often installed as plugins to allow the programs to access content through the Web browser, he explained. If these applications contain vulnerabilities, hackers can leverage those flaws through the browser by luring users to visit Web sites that carry malicious code or files.
Users update browsers, with help from vendors
Due to the risk of plugins, users must keep these tools up-to-date and use security features available in the browser to limit attack vectors when browsing the Internet, Microsoft's Wong noted.
Nachreiner added that the only way to fix these software vulnerabilities is by patching them, and installing the latest version of the browser in which the vendor has fixed all known security vulnerabilities. He warned that, of late, attacks have leveraged security vulnerabilities in programs such as Adobe Reader and Flash, Java and other third-party programs.
"Patching regularly is important in keeping your browser safe. However, it is just as important to keep third-party applications up-to-date," he said.
OTA's Spizle added that businesses need to accelerate their approval to ensure employees use modern browsers, noting that software incompatibility can no longer be used as a "credible excuse". Any time a device, which carries an outdated browser, is taken out of its IT environment and connects to the Internet, is at risk, he said.
Nachreiner suggested that the most effective way to get users to update their browser is to install the "automatic update" function, which many products today already have including Microsoft and Apple.
Johnathan Nightingale, Mozilla's director of Firefox engineering, said in an e-mail interview: "Firefox is configured to automatically check for software updates, both for the main browser and for any extensions users may have installed. This way, if any bug fixes are released or if any new features are added to these extensions, users will be notified."
However, Nachreiner said, not all third-party products that leverage browsers have automatic updates. As a result, even if there were automatic update mechanisms in the browsers, users might still have to keep up with other updates themselves, he added.
Wong added that Microsoft encourages its customers to update to the latest versions of Internet browser through Windows Update as well as marketing campaigns to educate users on the safety and security features of Internet Explorer. The company also publishes its Security Intelligence Report twice a year, available for free, to educate users on the latest security and malware trends, he added.
Spizle said: "We have a shared responsibility and opportunity to make the Internet more secure. Failure to do so can have a combined impact to all online businesses and services, such as lower consumer trust, higher levels of fraud costs and increase calls for regulation."