Malware has a new address: Web browsers. This is not the first time malicious code has set up shop in popular access tools such as Microsoft Internet Explorer and Google Chrome, but according to new research from the Ponemon Institute detailed in a recent Infosecurity Magazine article, browser vulnerabilities are on the rise. What can companies do to keep corporate data safe and prevent employees from accidentally compromising secure networks using broken Web browsers?

Depressing Numbers

According to the report, more than 75 percent of enterprises have been infiltrated with malware via broken Web browsers, with the average cost of such a breach ringing in at $62,000. Despite implementing multilayer, in-depth security controls, most organizations had more than 50 breaches in the past year. In fact, 69 percent of IT security professionals surveyed said browser-borne malware is a greater threat now than it was 12 months ago. Even worse, 81 percent say insecure browsers are the primary attack vector for malware, with 74 percent claiming “traditional” detection technologies can no longer effectively stop these types of attacks. In addition, just 31 percent agree commercial browsers have the same kind of built-in security controls necessary to stop these kinds of attacks.

Dark Reading, meanwhile, points to several factors in the spread of browser malware. First, companies are bogged down by the problem of psychological “inertia,” with 65 percent of security professionals saying it’s hard to shake their dependence on traditional security controls even when they prove ineffective. Additionally, many enterprises are still convinced browser makers have the best line on security and, with enough time, big-name brands will patch their most important malware holes. Is this just wishful thinking, however?

Real-World Concerns With Broken Web Browsers

Out in the wild of the World Wide Web, browsers are continually undergoing security upgrades. According to Threatpost, for example, Google’s Chrome 40 update recently patched 62 vulnerabilities in the browser, 17 of which were considered “high-severity” by the search giant. Most were memory corruptions or use-after-free vulnerabilities in components such as ICU, V8 or FFmpeg. In addition to internal fixes, the Google team also paid tens of thousands of dollars in bounties to freelance security researchers; one scored more than $12,000 for identifying three bugs. While this focus on security is admirable, it raises an important point: Despite Chrome’s widespread use and long history, bugs are still being discovered, some of which pose real risk to enterprises. Is bounty hunting enough to stop the threat?

Also worth mentioning is the recent universal cross-scripting vulnerability discovered in Internet Explorer. As noted by PCWorld, the weakness lets malicious attackers bypass the same-origin policy, which should prevent code used by one website and loaded in an iframe on a different website from affecting the first site’s content. However, this new vulnerability allows a phishing attack that takes the form of a legitimate-looking link on an authentic Web page. When clicked, a rogue page is opened, but because the same-origin policy is bypassed, the browser’s address bar continues to show the legitimate Web page address. For example, in the context of a banking site, this means users could be redirected to malware-laden pages but have no idea because the Web address would never change.

Underneath It All

The bottom line is that all Web browsers are broken Web browsers to some degree, depending on their patch cycle and current suite of discovered vulnerabilities. According to ReadWrite, there may be a common cause: laziness. It argues that Web developers have become lazy with their code when it comes to application development, but the same also applies to Web browsers. In large measure, this laziness comes as an honest reaction to consumer demand. Access trumps evaluation, and speed trumps security. The result, however, is a market of commercial Web browsers unable to handle advanced malware threats, putting corporate users at risk.

Managing browser security requires a twofold approach. First, enterprises must be willing to give up traditional methods of protection in favor of advanced endpoint security that acts in real time to detect malicious code or suspicious behavior. Gone are the days of catchall firewalls and zero-day patches. Second, organizations must shed the notion that browsers are the first line of security or form the basis of any secure defense. It is better to assume a breach is imminent, happening or has just occurred rather than be surprised by newly discovered, damaging vulnerabilities.

Browser malware is on the rise and is here to stay. Combating the problem requires a change of address — security needs a new home.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read