dcsimg

Top Five Vulnerabilities Attackers Use Against Browsers

  • Top Five Vulnerabilities Attackers Use Against Browsers

    Top Five Vulnerabilities Attackers Use Against Browsers-

    Code execution exploits in the browser

    This is the most egregious type, and also the rarest. Occasionally attackers will discover a vulnerability in the browser itself that allows execution of arbitrary binary code when a user simply visits a compromised site. Browsers are complex pieces of machinery with many subsystems (HTML rendering, JavaScript engine, CSS parser, image parsers, etc.), and a small coding mistake in any of these systems could offer malicious code just enough of a foothold to get running. From there, the malicious code has lots of options – downloading other malicious packages, stealing sensitive data and sending it to servers abroad, or silently waiting for further instructions from the attacker. The attacker doesn't even have to compromise a legitimate site to host such an attack – advertising networks have been used to distribute malicious code on otherwise secure sites.

    Ways to avoid: Turn on automatic updates in Windows and in your browser of choice. This type of vulnerability is usually quickly patched by the browser or OS vendor, and so attackers have a very short window in which to use it against fully updated systems. You're probably not the target that they're going to use this rare and valuable zero-day against.

1 | 2 | 3 | 4 | 5 | 6 | 7

Top Five Vulnerabilities Attackers Use Against Browsers

  • 1 | 2 | 3 | 4 | 5 | 6 | 7
  • Top Five Vulnerabilities Attackers Use Against Browsers-2

    Code execution exploits in the browser

    This is the most egregious type, and also the rarest. Occasionally attackers will discover a vulnerability in the browser itself that allows execution of arbitrary binary code when a user simply visits a compromised site. Browsers are complex pieces of machinery with many subsystems (HTML rendering, JavaScript engine, CSS parser, image parsers, etc.), and a small coding mistake in any of these systems could offer malicious code just enough of a foothold to get running. From there, the malicious code has lots of options – downloading other malicious packages, stealing sensitive data and sending it to servers abroad, or silently waiting for further instructions from the attacker. The attacker doesn't even have to compromise a legitimate site to host such an attack – advertising networks have been used to distribute malicious code on otherwise secure sites.

    Ways to avoid: Turn on automatic updates in Windows and in your browser of choice. This type of vulnerability is usually quickly patched by the browser or OS vendor, and so attackers have a very short window in which to use it against fully updated systems. You're probably not the target that they're going to use this rare and valuable zero-day against.

Web browsers are the primary target for many attackers these days, because so much sensitive data passes through them. From casual shopping to enterprise management systems to military operations, browsers have become the primary vehicle people use to access network-connected systems. Unfortunately, browsers have a long and storied history of vulnerabilities that have provided attackers with a lucrative and near-endless supply of victims upon which to prey. Quarri Technologies, Inc., a Web information security software company, has identified some of the top vulnerabilities attackers use against browsers.

Note: This slideshow is focused on browser vulnerabilities, not website vulnerabilities (SQL injection attacks, XSS, XSRF, et al). The distinction is subtle but important.