Malware has a new address: Web browsers. This is not the first time malicious code has set up shop in popular access tools such as Microsoft Internet Explorer and Google Chrome, but according to new research from the Ponemon Institute detailed in a recent Infosecurity Magazine article, browser vulnerabilities are on the rise. What can companies do to keep corporate data safe and prevent employees from accidentally compromising secure networks using broken Web browsers?

Depressing Numbers

According to the report, more than 75 percent of enterprises have been infiltrated with malware via broken Web browsers, with the average cost of such a breach ringing in at $62,000. Despite implementing multilayer, in-depth security controls, most organizations had more than 50 breaches in the past year. In fact, 69 percent of IT security professionals surveyed said browser-borne malware is a greater threat now than it was 12 months ago. Even worse, 81 percent say insecure browsers are the primary attack vector for malware, with 74 percent claiming “traditional” detection technologies can no longer effectively stop these types of attacks. In addition, just 31 percent agree commercial browsers have the same kind of built-in security controls necessary to stop these kinds of attacks.

Dark Reading, meanwhile, points to several factors in the spread of browser malware. First, companies are bogged down by the problem of psychological “inertia,” with 65 percent of security professionals saying it’s hard to shake their dependence on traditional security controls even when they prove ineffective. Additionally, many enterprises are still convinced browser makers have the best line on security and, with enough time, big-name brands will patch their most important malware holes. Is this just wishful thinking, however?

Real-World Concerns With Broken Web Browsers

Out in the wild of the World Wide Web, browsers are continually undergoing security upgrades. According to Threatpost, for example, Google’s Chrome 40 update recently patched 62 vulnerabilities in the browser, 17 of which were considered “high-severity” by the search giant. Most were memory corruptions or use-after-free vulnerabilities in components such as ICU, V8 or FFmpeg. In addition to internal fixes, the Google team also paid tens of thousands of dollars in bounties to freelance security researchers; one scored more than $12,000 for identifying three bugs. While this focus on security is admirable, it raises an important point: Despite Chrome’s widespread use and long history, bugs are still being discovered, some of which pose real risk to enterprises. Is bounty hunting enough to stop the threat?

Also worth mentioning is the recent universal cross-scripting vulnerability discovered in Internet Explorer. As noted by PCWorld, the weakness lets malicious attackers bypass the same-origin policy, which should prevent code used by one website and loaded in an iframe on a different website from affecting the first site’s content. However, this new vulnerability allows a phishing attack that takes the form of a legitimate-looking link on an authentic Web page. When clicked, a rogue page is opened, but because the same-origin policy is bypassed, the browser’s address bar continues to show the legitimate Web page address. For example, in the context of a banking site, this means users could be redirected to malware-laden pages but have no idea because the Web address would never change.

Underneath It All

The bottom line is that all Web browsers are broken Web browsers to some degree, depending on their patch cycle and current suite of discovered vulnerabilities. According to ReadWrite, there may be a common cause: laziness. It argues that Web developers have become lazy with their code when it comes to application development, but the same also applies to Web browsers. In large measure, this laziness comes as an honest reaction to consumer demand. Access trumps evaluation, and speed trumps security. The result, however, is a market of commercial Web browsers unable to handle advanced malware threats, putting corporate users at risk.

Managing browser security requires a twofold approach. First, enterprises must be willing to give up traditional methods of protection in favor of advanced endpoint security that acts in real time to detect malicious code or suspicious behavior. Gone are the days of catchall firewalls and zero-day patches. Second, organizations must shed the notion that browsers are the first line of security or form the basis of any secure defense. It is better to assume a breach is imminent, happening or has just occurred rather than be surprised by newly discovered, damaging vulnerabilities.

Browser malware is on the rise and is here to stay. Combating the problem requires a change of address — security needs a new home.

More from Software Vulnerabilities

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today