Saturday, October 6, 2012

Web Browsers


In my last post (AntiVirus at home), I mentioned one tool (AV) you can use at home to help defend against criminals who want to deliver malware onto your computer. Email and web browsing were the two primary delivery vectors I discussed in that post. The topic for today also addresses malware delivery but this time via your web browser. The question for this post is "which web browser should I use?" I've heard incorrect assumptions from friends and family who heard from someone they respect that "they will be secure if they use...." or "using ... means I'm not secure." Well, let's dive into that.


First off, your web browser is the application on your computer you are using to view this blog. They come in many shapes and sizes and many web enabled applications today contain web browser features. Your apps on your smartphone or tablet for example - many of those which display content to you from the Internet are essentially web browsers. Quite simply a web browser is an application that interacts with Internet languages and protocols to display stuff to you. Internet content such as movies, animated graphics, or documents are usually opened via another program on your computer upon request from your browser. That's why you have to install things like Flash Player, Shockwave, and PDF Reader. These aren't browsers, but more on that in a minute.


There are too many to mention here, but some of the primary web browsers include Microsoft Internet Explorer (IE), Mozilla FireFox, Google Chrome, Apple Safari, Opera, Camino, and Netscape Navigator. Microsoft IE and Apple Safari are likely the most commonly used among home users since they come pre-installed in Windows and OSX respectively. Within corporations, typically Internet Explorer or Mozilla Firefox are the "approved" browsers with exceptions for "Safari" on Apple computers.


Web browsers render website code written in programming languages such as HTML, XML, or PHP to display the contents in attractive formats. However additional applications on your computer that integrate with your browser (called plugins) are used when the website content (usually media) cannot be displayed. This most commonly includes active media content written for Java or Flash or specially formatted documents in PDF. When a browser encounters content in these non-HTML/XML codes, they call the local application that can display the code and the results are usually rendered within your browser. Youtube is a great example of this since the website is HTML, but the videos are in Flash (.swf) format. Many websites include active code like PHP which will inspect attributes of your computer to determine which format active content should be displayed to you. A video may be served in Java or Flash or some other type depending upon your configuration.


A browser can't be used to exploit your computer unless there is a vulnerability in the browser, a vulnerability in one of the "plugins" mentioned above, or in how the browser uses a plugin. Usually it's one of these plugins that is actually used to compromise your computer, not the browser itself. The browser becomes the medium by which the exploit or malicious code is transferred to the vulnerable application on your computer. Take the Blackhole exploit kit as an example. It is one of the most widely used kits around there that leverages weaknesses in active content plugins (Flash or Java) to serve you malware. Your browser hits a page which includes an embedded Java applet. Your browser calls up the Java application on your computer, and loads the Java code. The malicious Java code exploits a flaw in that software to automatically connect to another website to download and launch a malicious file. In many of these cases, it's not your browser's fault - it's the plugin that put you at risk. Probably the most common browser targeted exploits used today include cross-site scripting and iframe vulnerabilities. You can read about those at Wikipedia if you'd like, but essentially the process is the same; embedded code causes your browser to load malicious content.


I summed up the past 2 months of vulnerabilities related to web browsing according to the United States Computer Emergency Readiness Team (US-CERT):

Adobe Flash: 3
Adobe Acrobat Reader: 21
Adobe Shockwave: 5
Apple Safari: 3
Google Chrome: 24
Internet Explorer: 9
Mozilla Firefox: 31
Perl: 1
PHP: 2
Opera: 2

Based on this sample set from the past 2 months, Google Chrome and Mozilla Firefox had the most vulnerabilities followed by Internet Explorer, Safari, and Opera respectively. This might surprise you but statistics of new vulnerabilities in a browser show that FireFox alone averages about 44% of all web browser bugs. It has a horrible record. However, the Adobe, Perl, and PHP applications listed above are plugins which interact with each browser. So, even if your browser had 0 vulnerabilities, it's likely that with this set of application vulnerabilities you would still be at risk.

Which is the Most Secure?

That's a very difficult question to answer and I won't bore you with the background, but I give a toss up between Google Chrome and Internet Explorer. By itself, Chrome has been built with security at the front and Google is very quick to release updates when flaws are discovered. Microsoft is hands down the best at addressing new vulnerabilities and the latest versions of IE along with Windows 7 prove difficult to exploit. FireFox comes next. It is constantly being updated to fix newly discovered bugs, but they do a solid job of releasing updates. Apple Safari is at the bottom of the list for me because Apple is notoriously slow to fix vulnerabilities. It's common that a flaw will be discovered and Apple will take weeks and sometimes months to release an update leaving users exposed to compromise for long periods. Just Google "Apple slow to patch" and you'll see what I mean.

Rumors and Confusion

All of these web browsers are advertised as "the safer and faster way to browse the Internet." Or something like that. It became very trendy a few years ago to drop IE and use FireFox. This trickled out from those in the IT vocation to friends and family and the next thing I knew people were telling me they were secure at home because they don't use IE anymore...they use FireFox. Sorry to say, that's actually wrong.

Choosing a Browser

Before you take the plunge and commit yourself to a browser (by the way, I have 5 of the above installed on my laptop), you need to weigh your planned use, compatibility, risks, and threats.

Planned Use

So, what do you do with your web browser and what is the most important about your browsing experience? Personally I prefer simplicity, ease of use, and speed. Those are my top three. My planned use the web effectively and securely and enjoy the content websites offer. To that end, my go-to is Google Chrome. But, I often find cases where Chrome simply doesn't work right. In those times I switch back to the most stable and consistent browser, Internet Explorer. Some of the websites I use often simply don't render correctly in FireFox or Safari so rather than spend time getting frustrated, I just stick to Chrome and IE.


So your favorite browser is FireFox and you just browse the Internet to read news and check email. Are you at risk? Yes. However, risk assumes there is a vulnerability in your software, an exploit which can take advantage of that vulnerability, and that exploit is delivered to you. Unfortunately exploit code is spread all over the Internet on various websites including totally legitimate ones. The Russian Business Network (RBN) for example is run by Cyber criminals who network resources and offer Internet services to other criminals. They also use their network for legitimate purposes and serve web banners and ads on common websites. If you hit one of these sites, you could be exposed to exploit code. There's also tons of malicious code hosted through websites that serve illicit content and online games. There are also some Cyber criminals who monitor web trends (the things people search for on Google) and create malicious websites dedicated to those topics to get you to browse to them and expose yourself the malicious code. Needless to say, the risk of exploitation is very high. If there's a new trend or breaking news story, chances are there are websites being created by criminals that will serve you information about the topic, and along with that malicious code for your browser.


Take a look at the vulnerability and exploit sections of this post and you'll also see why I chose Chrome and IE. But consider this when browsing the Internet. Sorry Apple, but I warn all of you Mac users out there to stay away from Safari. You're better off installing Chrome on your Mac.

As I mentioned in my post about AntiVirus, your best defense is to patch your browser and related plugins regularly and at least check for updates weekly. Microsoft releases updates every Tuesday (if there are any to be released) and Google releases them when they are ready. Apple seems to release them when they eventually get around to it (bad Apple, bad!). Next, read those warnings from your browser and listen to their advise. If the browser says you are loading potentially unsafe content, stop! If you have to bypass a security feature to browse the content, think about that before you click. If your computer asks permission to open a file, make sure you trust the source. Finally, don't mess with your Browser's security settings. One thing all the providers have in common is they will push security features to you in patches. So again, patch!

Be safe!

No comments:

Post a Comment