As alternative browsers battle for the top spot in the market, they also face the challenge of staying secure due to the increased demand for them to provide users a safe computing experience.
Several popular browsers were recently found to have significant security flaws. Topping the list was Internet Explorer (IE), which was found to have two separate security vulnerabilities in March alone.
Firefox likewise made headlines with its own security flaw, which was severe enough to prompt the German government to issue a warning against Mozilla. The vulnerability in question, however, has already been addressed with the recent release of Firefox 3.6.2.
Other browsers like Opera and Safari were also found to have their own flaws. Both of which, however, have already been patched. Well-known security expert Charlie Miller said he has more Safari zero-day flaws to publicly reveal, which is not good for Safari and Google Chrome, which use the same underlying WebKit rendering engine.
Trend Micro researcher Rajiv Motwani says, “Apart from the above-mentioned flaws, we cannot even begin to guess how many are currently being exploited in the wild. We also forget that a large number of users do not actually patch their systems.” He further adds that there are several reasons why users do not patch their systems. These include the nonavailability of a centralized automatic update system, a vendor-dependent patch release cycle, and the perception that a traditional antivirus software can protect them against all kinds of threats. Furthermore, the proliferation of malware posing as software patches further complicates matters by instigating doubt and hesitation among users.
Government steps such as the European Union (EU)-imposed browser ballots that provide greater browser selection may help users work around issues in specific browsers. However, Motwani stresses that changing browsers every time a new zero-day vulnerability is announced is impractical. He adds, “How is the user expected to keep track of zero-day and unpatched vulnerabilities? Also, with each browser being more vulnerable than the next, which is the safest option?”
In addition, enterprise users may require testing for performance impact, stability, and compatibility before they roll out patches. Hence, patching is likely to be delayed given the possible effects they may have. Instead of switching browsers on the fly, users should use updated versions of all security products and ensure that definitions are up-to-date at all times. It is also important to be wary of links, files, and downloadable data on social-networking sites and that come from unknown sources. Disabling scripting or, at least, regulating its use to trusted sites is also a good option to avoid falling prey to exploits that abuse script files.