Digg this story   Add to del.icio.us  
Don’t Blame the Browser
Melih Abdulhayoglu, 2009-02-06

There was a time when most diseases were fatal for humans. Intense study and research helped doctors manage diseases better, and subsequently even prevent them altogether.

Today, vaccination is an established and permanent method of preventing diseases by strengthening the body’s natural defenses against the causal elements. The solution lies in eliminating the threat by shoring up the immune system and creating a wall of defense, and not in just managing the symptoms.

The same principle applies to Internet browsers too. True, browsers do come with a built-in security mechanism. However, it should not be their job to be on watch all the time. Browser are there to perform a function: to browse the Internet. Rather than also attempt to secure the user, they should work together with security products to protect the computer network and data against intruders and prevent attacks.

Internet users remember the Internet Explorer 7 incident last year. The IE XML Heap Corruption Vulnerability — a buffer overflow attack — allowed malicious programs to compromise computer systems by overloading the target application’s memory buffer with covertly downloaded code. Web browsers, mail clients and IM programs were particularly vulnerable to these attacks, causing data theft and system crashes.

IE users seemed to panic when they learned of the browser’s vulnerability. In media reports, some security experts suggested moving to alternate browsers until a patch was available.

However, the problem is not Microsoft’s browser, but inadequate prevention of exploitation in browsers in general. Internet Explorer has security flaws, just like any other browser. Unlike other browsers, however, IE is the default browser for millions of users around the world. When a problem occurs, the sheer impact in terms of the affected numbers exacerbates an already bad situation. IE’s December 2008 incident was no different.

How do other browsers fare in the risk ratings? True, users of Firefox, Safari and Opera are more likely to surf using the latest version — and generally the most secure version — of the browser. They are safer too, perhaps, but not entirely secure, since all software is a work in progress.

The primary difference is one of impact. While IE’s buffer overflow problem had the world’s attention in December, emergency patches were rushed out to fix security holes in Firefox and Opera around the same time. Moreover, Google's Chrome browser underscored that newer technology or being the latest to the market doesn’t always guarantee foolproof security.

Browsers are meant for you to browse. Not to secure your computer. Not to protect your files against prowlers on the Web. Not to stop attacks from sundry viruses and Trojans. While all browsers have some forms of protection built in today, no one can rely totally on the default security attributes.

Faster, better processors give us more power in computing. But as we build more evolved software, add more complex code, and introduce more functionality, the more challenging it becomes to test and check for loopholes. Beyond that, technology — no matter how advanced — cannot stop hackers and phishers from developing newer ways to exploit browser vulnerabilities.

Security patches are effective only when they are made available to the user quickly. Disabling certain features in your browser, such as Javascript and ActiveX controls, will only limit your browsing capabilities. Regulating user behavior by blocking access to certain Web sites or monitoring downloads merely sidestep the issue. Regular operating-system and antivirus updates, using the latest browser version, and installing anti-spyware programs should be standard operating procedures, but are merely reacting to the threat.

Moving to another browser may reduce the vulnerability factor, but cannot negate the threat factor completely — a temporary solution at best. Internet Explorer is the most popular browser in the world, so of course hackers are going to try to exploit it. However, switching browsers is not the answer; preventing threats is.

What’s required on the part of a browser user is not a quick-fix remedy such as a security patch, but a permanent solution that anticipates and eliminates a broad class of threats. Memory firewalls, for example, monitor the memory space of all installed applications and could prevent buffer overflow attacks by blocking all intrusions.

PC security must be based on prevention. A safeguard mechanism will ensure that prospective intruders are kept permanently at bay, regardless of the browser. The solution therefore lies in moving away from traditional detection-based software and stepping up to a prevention-based technology.

Security problems may compromise the average Internet browser. They needn’t compromise your network’s security, if you prepare wisely.

Melih Abdulhayoglu is CEO and Chief Security Architect of Comodo, the second-largest issuer of high-assurance SSL certificates. Melih earned a BS in Electronic Engineering from Bradford University in 1991 and blogs at http://www.melih.com/.
    Digg this story   Add to del.icio.us  
Comments Mode:
Economics says "blame the browser" 2009-02-08
Jim (1 replies)
Don’t Blame the Browser 2009-02-09
Anonymous (1 replies)
Re: Don?t Blame the Browser 2009-02-09
Anonymous (1 replies)
Re: Re: Don't Blame the Browser 2009-02-17
Don’t Blame the Browser 2009-02-09
Don’t Blame the Browser 2009-02-09
Anonymous (1 replies)
Re: Don?t Blame the Browser 2009-02-11
An ounce of prevention 2009-02-09
Don’t Blame the Browser 2009-02-10
D i D 2009-02-10
Eric H
Don’t Blame the Browser 2009-02-14
RG (1 replies)
Re: Don?t Blame the Browser 2009-03-11


Privacy Statement
Copyright 2010, SecurityFocus