Over the past few years, vendors of the most popular Web browsers have developed new and improved security features to help promote the latest releases and capture market share, particularly in the enterprise sector.
However, this trend appears to have come to an abrupt halt, as security innovations aren't the focus of the most recent versions of Mozilla Firefox or Google Chrome. And the newest version of Microsoft Internet Explorer, IE 11 has no new security features to speak of, just updated security mitigations.
As both gateway to the Internet and application interface of choice, the browser will remain a top target for those looking to compromise or steal corporate data.
So, what does this mean? With so little focus on security, does it mean that browsers are now perfectly secure? In this tip, we will explore the current state of Web browser security maturity in the context of IE 11 security, what the future of Web browser security holds and what enterprises can do to maintain safety.
IE 11: Have browser security measures plateaued?
The latest version of Internet Explorer, IE 11, has been criticized for its lack of new security measures. Many are saying the absence of new features is due to the fact that browser security technology has plateaued. However, despite its lack of new security measures, IE 11 does offer some updated security mitigations.
For example, to prevent the risks associated with IE 11's fresh support for the Web Graphics Library three-dimensional graphics standard and to defend against WebGL-based attacks, Microsoft has added client-side sandboxing to its graphics drivers. Should an attacker find a way to inject malicious code via WebGL, it won't damage the rest of the system. Elsewhere, Enhanced Protected Mode and AppContainer are now turned on by default to prevent webpages from reading or writing to protected parts of the operating system. There are also a few new minor Group Policy security-related settings. For the privacy-minded, Do Not Track exceptions in the browser settings can be used to stop websites from tracking users by default.
In my opinion, it's a best practice to use the latest version of any software and keep it patched. Even though IE 11 isn't bristling with new security features, it's still sensible to upgrade and take advantage of the extra protection the upgrade can offer.
The truth about Web browser security
Unfortunately, no application will ever be 100% secure. As both gateway to the Internet and application interface of choice, the browser and plug-in ecosystem (Java in particular) remains a top target for those looking to compromise or steal corporate data.
More information on Web browser security
The four layers of Internet Explorer security
Web browser security comparison: Are Firefox security issues legit?
IE security risks: Making the switch to a more secure browser
IE security vs. Firefox
There's no doubt that browsers today are far more secure than earlier versions. Common attack vectors -- such as buffer overflows -- have been addressed and are successfully blocked using such mitigation technologies as Address Space Layout Randomization and Data Execution Prevention.
However, improved security only forces cybercriminals to look elsewhere for soft spots to exploit. Many hackers today are spending time and resources crafting social engineering-based attacks to trick victims into installing malicious code. This is one reason why many recent browser security features have been designed to stop users from reaching known malicious sites or downloading content from risky sources.
Securing the weakest link
Employees are very much the weakest link in enterprise defenses. Sadly, most people will opt for the browser that gives them the best user experience, not the one with the best security options. Too many alerts and warnings will often result in employees turning off the very security controls aimed at protecting them. As I see it, many browser vendors may be holding back on introducing new security features while they assess feedback from users to gauge which existing default settings are resulting in both increased security and an acceptable user experience.
Keep in mind that there are limits to the protection that browser software can offer, especially when users must run untrusted code when surfing the Web, or as marketing and advertising services continue to try and circumvent the many highly publicized browser features that have focused on ensuring user privacy.
An enterprise's best defenses
To enhance overall browser security, it would be nice to see improved compatibility with Web standards across all browsers. This not only would make secure site implementations easier but also would reduce the amount of time spent trying to make pages display correctly across all platforms. Google's mooted AdID -- a type of user tracking technology that aims to replace third-party cookies -- may also pave the way for more responsible tracking by advertisers.
Unfortunately, this Web browser utopia may never come to fruition. So for now, hackers will continue to find browser weaknesses and focus on vulnerable endpoints, meaning endpoint antimalware protection is still a vital enterprise defense.
Additionally, applications whose source code has been stolen (such as products from Adobe) will continue to be popular attack vectors, as hackers are able to find zero-day exploits with relative ease. Browser plug-ins and mobile apps will also remain favorites because network administrators have a hard time controlling their installation and use.
When new attack techniques are discovered that compromise the browser, vendors will rush to release new versions that will mitigate them, along with additional controls to protect users from their own actions.
In the end, it is important for enterprises to adopt additional security controls beyond the defenses browser makers build into their products. While browser security has come a long way over the years, additional defenses, such as a Web security gateway, endpoint antimalware and security awareness training, are essential to staying ahead of the many determined, creative browser attackers and those that use them.
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.
This was first published in December 2013