Yet Another Reason To Upgrade Your Browser
The browser wars are all but over, and though there may be a blurry winner one thing is for certain — many of the older browser versions contained bugs. Lots of bugs. Especially important are the security bugs. You know the ones, they can allow hackers to gain access to your PC or other nefarious things. So what’s a guy to do? Simple. Upgrade. You should always be running the latest versions of your favourite browser PLUS ensure that you’ve got all the security fixes and patches.
There are dozens upon dozens of browser vulnerabilities. I did a quick google search on vulnerabilities by browser and found a few resources. This is by no means exhaustive, but useful. What I was really searching for was a table that would show me the different versions of Microsoft Internet Explorer, FireFox and all the other browsers out there along with the version number(s) of the browsers, counts of browser vulnerabilities and worst type of browser vulnerability. Couldn’t find something exactly like that…
Sans.org had this to say about client side browser vulnerabilities:
Client-side Browser Vulnerabilities in:
C1. Web Browsers
C1.1 Description
Microsoft Internet Explorer is the world’s most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer.
Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using.
With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.
In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems.
So how does this impact you? Well, if I need to tell you this then you’re loooong gone. 
Seriously though, now PayPal is getting into the fray. They’ve recently announced that they will cease support for older browsers and Safari – meaning that they will block access to PayPal for users that still use these browsers.
Under PayPal’s plan, Apple Inc.’s Safari would be banned completely, while only older versions of its rivals Microsoft Corp.’s Internet Explorer and Mozilla Corp.’s Firefox would be barred.
…
PayPal did not specify a timetable when it would switch on its browser blocking, and did not reply to request for one on Friday. Apple also did not respond to an e-mail asking for comment.
Most recently I’ve read that, now instead of using the word “blocks” they are now saying that are “considering blocking” — a big change.
I was expecting to see something on their blog, but alas nothing was posted there – but there was a post by their CIO – http://www.thepaypalblog.com/weblog/2008/04/a-practical-app.html.
The announcement was made in a PDF paper for the RSA Conference.
Enjoy the read!
Mohamed
Yet Another Reason To Upgrade Your BrowserWHAT!! No related posts...
Related posts brought to you by Yet Another Related Posts Plugin.
Tagged with: browser vulnerability • hacking • internet explorer • paypal • phishing • safari
Like this post? Subscribe to my RSS feed and get loads more!
Great post. People often like to stick with the version of their browser that they’re familiar with, but new browser versions aren’t just flashy updates, they often come with security fixes for current problems on the internet and by sticking with an older browser you can leave yourself vulnerable.
——————————————————
Fred Reckling
Microsoft Security Outreach Team
http://www.microsoft.com/hellosecureworld/level7
Hi Fred,
Welcome! Thank you for your comment.
For the longest time, I never updated my browser or software then got hit with a nasty virus a few years back. Changed my outlook totally. After having spent months recreating my system from bits ‘n pieces I vowed I’d never let that happen again.
Your system will run sooo much smoother if you keep it updated.
Take care,
Mohamed
I’m a Firefox user myself, and my security settings are very zealous. My plugins don’t even let a page run ads or javascript unless I say otherwise.
I design my sites to work with Firefox, and, to an extent, to render like Hell in IE, mainly cause I hate the uncustomizable POS.
Dartz – more and more users like FireFox for that reason. You can decide what plugins you want, and you have more control over the browser. FireFox is definately the way to go, especially if you want flexability combined with the power of being able to customize the software to your individual requirements.
Mo
IE is a disaster, but even opera and mozilla are full of holes. I recently got a trojan alert on opera browser. So even browsers that are hardly used take advantage of the mainstream exploits. Mozilla is far from perfect too.
Each and every one has its own bugs, I do keep at least two latest browsers in my system, preferably firefox and IE.
Every browser has it’s quirks and security issues, but IE takes the cake since it is embedded into Windows and has far too many hooks into the registry. I try to keep an up-to-date version of opera, firefox, and IE so that I can properly test my web sites.
Great post!
I have at least 5 browsers now in my system: IE, Firefox, Opera, Safari and Avant.
There are so many browsers now and it give choices to users. But it makes webmaster crazy because he must do harder to make his website compatible with other browsers.
Phao Loos last blog post..Compress And Unpack With Power Archiver 2009
To be very true, i always upgrade all my stuff and especially my browser. After upgrading my browser very last time, I was forced to go back to pick up my old version of FF. New firefox sucks regarding its memory consumption and bad cookie behavior. I was not expecting that from FF but this is a reality.
Well i’m using FF and it dates automatic up.
Kriss last blog post..Muscle Advance Review