Why browser vulnerabilities are a serious threat – and how to minimize your risk


Everyone uses browsers to access a wide range of networked systems, from business sites to enterprise management. As a result, browsers collect tons of sensitive information – from passwords to credit card data – that hackers are eager to get their hands on.

Additionally, browser vendors frequently add new features, which increases the risk of flaws in the program code that hackers can exploit. And even though there seem to be a lot of different web browsers, there are actually only two open source browser engines. Chrome, Vivaldi, Brave and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and moved to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all other browsers are proprietary enterprise tools like Apple Safari. As a result of this consolidation, adversaries can focus narrowly on concealing vulnerabilities in both browser engines.

The Latest Critical Web Browser Vulnerabilities
Every month we see a myriad of new serious vulnerabilities in web browsers. In the first half of 2022, Chrome announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the V8 JavaScript engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not only the nearly 3 billion Chrome users, but also all those using any other Chromium-based browser.

Mozilla isn’t immune to vulnerabilities either. So far in 2022 we have seen CVE-2022-22753, a high severity vulnerability that can allow an adversary to gain administrator rights in Windows; CVE-2022-22753, which could be abused to access an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to allow execution of JavaScript code.

The problem is not only serious but growing: in the first quarter of 2022 alone, Chrome patched 113 vulnerabilities, 13% more than during the same period in 2021, while Firefox patched 88 vulnerabilities, or a 12% jump from the first quarter of 2021. These increases make browsers a prime target for hackers.

How Hackers Attack Browsers
Hackers use several techniques to exploit browser vulnerabilities. Sometimes they discover a vulnerability that allows them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these “drive-by download” attacks.

A more common tactic, however, is for hackers to send phishing emails containing exploit kits targeting web browsers. Indeed, Cisco’s 2021 Cybersecurity Threat Trends Report found that around 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

Strategies to Mitigate Risk from Browser Vulnerabilities
Organizations should combine several techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers up to date. However, patching browsers can be problematic. Research shows that 83% of users are running versions of Chrome that are vulnerable to zero-day attacks already identified by Google. One reason is simply that many users don’t like restarting their browser, which is often necessary as part of an update.

Another obstacle to patching is that many people install browsers under their user profiles, in folders that system administrators cannot access without special tools. To overcome these issues, automate patches for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient for end users; and manage applications installed under user profiles.

The second measure is to apply multi-factor authentication (MFA) on all critical systems and services. This way, hackers won’t be able to access these resources even if they manage to steal a user’s credentials.

Third, regularly clear browser history on users’ machines to clear stored passwords, as well as to clear their cookies, as these can allow attackers to access services such as email without the user’s credentials. user identification. Make sure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, don’t forget the human factor. Be sure to deploy an extensive cybersecurity awareness program that educates all of your users on security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially ones that don’t get regular updates. Also, train them to choose strong, unique passwords for each website they visit and not store passwords in their browsers; to make this easier, give them a password manager app.


Comments are closed.