The browser wars are all but over, and though there may be a blurry winner one thing is for certain — many of the older browser versions contained bugs. Lots of bugs. Especially important are the security bugs. You know the ones, they can allow hackers to gain access to your PC or other nefarious things. So what’s a guy to do? Simple. Upgrade. You should always be running the latest versions of your favourite browser PLUS ensure that you’ve got all the security fixes and patches.
There are dozens upon dozens of browser vulnerabilities. I did a quick google search on vulnerabilities by browser and found a few resources. This is by no means exhaustive, but useful. What I was really searching for was a table that would show me the different versions of Microsoft Internet Explorer, FireFox and all the other browsers out there along with the version number(s) of the browsers, counts of browser vulnerabilities and worst type of browser vulnerability. Couldn’t find something exactly like that…
Sans.org had this to say about client side browser vulnerabilities:
Client-side Browser Vulnerabilities in:
C1. Web Browsers
Microsoft Internet Explorer is the world’s most popular web browser and is installed by default on every Microsoft Windows system. Unpatched or older versions of Internet Explorer contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The most critical issues are the ones that lead to remote code execution without any user interaction when a user visits a malicious web page or reads a malicious email. Exploit code for many of these critical Internet Explorer flaws is publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and the Graphics Rendering Engine. During the past year, hundreds of vulnerabilities in ActiveX controls installed by Microsoft and other software vendors have been discovered. These are also being exploited via Internet Explorer.
Mozilla Firefox is the second most popular web browser after Internet Explorer. It also has a fair share of vulnerabilities. In 2007, it has released several updates to address publicly disclosed vulnerabilities. Similarly to Internet Explorer, unpatched or older versions of Firefox contain multiple vulnerabilities that can lead to memory corruption, spoofing and execution of arbitrary scripts or code. The web sites exploiting the browser vulnerabilities typically host a several exploits, and even launch the appropriate exploit(s) based on which browser the potential victim is using.
With the explosion of rich content in web sites, a parallel increase has been seen in the number of Browser Helper Object and third-party plug-ins used to access various MIME file types such as multimedia and documents. These plug-ins often support client-side web scripting languages such as Macromedia Flash or Shockwave. Many of these plug-ins are installed (semi-)transparently by a website. Users may thus not be aware that an at-risk helper object or plug-in is installed on his/her system. These additional plug-ins introduce more avenues for hackers to exploit to compromise computers of users visiting malicious web sites.
In October 2007, for example, systems running Windows XP and Windows Server 2003 with Windows Internet Explorer 7 were found not to handle specially crafted Uniform Resource Identifiers (URIs) properly. By creating a specially crafted URI in a PDF document attackers were able to execute arbitrary commands on vulnerable systems.
So how does this impact you? Well, if I need to tell you this then you’re loooong gone.
Seriously though, now PayPal is getting into the fray. They’ve recently announced that they will cease support for older browsers and Safari – meaning that they will block access to PayPal for users that still use these browsers.
Under PayPal’s plan, Apple Inc.’s Safari would be banned completely, while only older versions of its rivals Microsoft Corp.’s Internet Explorer and Mozilla Corp.’s Firefox would be barred.
PayPal did not specify a timetable when it would switch on its browser blocking, and did not reply to request for one on Friday. Apple also did not respond to an e-mail asking for comment.
Most recently I’ve read that, now instead of using the word “blocks” they are now saying that are “considering blocking” — a big change.
I was expecting to see something on their blog, but alas nothing was posted there – but there was a post by their CIO – http://www.thepaypalblog.com/weblog/2008/04/a-practical-app.html.
Enjoy the read!