SAN FRANCISCO -- Web browsers from all vendors are under constant attack and a large part of that has to do with the use of third-party software. Browsers using Java and Silverlight specifically are often targeted, but Robert "RSnake" Hansen, vice president of WhiteHat Labs at WhiteHat Security, says it's not always the fault of the browser, but the third-party software.
"[The browser vendors] don't really have a firm knowledge of all the bad things that could happen because they didn't write the code, and because it updates on its own. But worse, even if they did have good knowledge of it, [the browser vendors] don't control it, so even if they know there's a vulnerability there, they can't do anything about it."
"The Web is so ubiquitous," RSnake says. "It's so easy, it's so pervasive, it's so dynamic; and firewalls basically say 'come on in.' I think it makes a lot of sense that [the Web] would be the way [attackers] come in."
As for the problematic Java, Silverlight and Flash, RSnake is hesitant about whether full-blown eradication from the Web is really a solution.
"It's possible. I don't think it [will] happen anytime in the near future. … There are still a lot of applications that still rely on the legacy things."
RSnake also bleakly addressed the Menlo Security report that says a third of the top websites are either compromised or running vulnerable software.
"Unfortunately I think that's just being really optimistic. I think 100% of [top websites] are running vulnerable software, they just don't know it. Or the vulnerabilities haven't been announced yet, or haven't been found yet or whatever. I know that sounds really bad, but the Internet was not built with security in mind."