Problem solve Get help with specific problems with your technologies, process and projects.

Will Web browsers ever be fully equipped to detect and remove malware?

The latest group of browser updates allow for the detection of bogus Web sites, but what other features can be expected? Ed Skoudis explains how a Web browser's complexity may hinder its future malware defense capabilities.

In the future, will the browser play the greatest role in malware protection? Are today's browsers efficiently equipped to fight malware?
The browser will play an increasing role, but I don't think it'll play the greatest one. The latest group of browser updates, like those of IE 7 and Firefox 2.0, has some pretty interesting features for detecting bogus Web sites at look-alike domains. Browsers, however, are complex pieces of software, having to parse hundreds of different file types and interpret a dozen or more languages, like HTML and various browser scripting languages.

Complexity, though, is often the enemy of security. Numerous bugs hidden in all of that complicated code can lead to exploitable security vulnerabilities. So defenses need to be balanced among the browser, the operating system and the network. It's the old defense-in-depth philosophy. We should not put all of our infosec eggs solely in the browser basket. The browser can help, but it can also be subverted.

That being said, I do not believe that today's browsers are sufficiently equipped to fight malware. Major browser vulnerabilities are discovered on a regular basis, and attackers install a great deal of malware by exploiting these browser holes. That manipulation will likely continue for some time. The browsers have improved, but all the browser-helper applications that play media files, including QuickTime and Acrobat Reader, and render different languages, like Flash, are proving to be a big security concern. The browser doesn't really prevent these third-party tools from being subverted, even though it invokes them.

Some people may say that it's not the browser's job to protect against errant third-party applications, and that's certainly a defendable argument. If everyone had that reasoning, it would be hard to believe that the browser would play "the greatest role in malware protection."

More information:

This was last published in October 2007

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

No, not fully. While there are certain built-in features and add-ons, the goal is a moving target.
The problem with that idea is that malware is constantly changing, so browsers will need to be constantly improved, but then malware is constantly being improved, so…