IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Three reasons why browsers are so difficult to secure

Over 70% of cyber attacks target web browsers. Here's why they're so difficult to secure

For organisations trying to balance web browser security with end user functionality, the cyber security issues affecting browsers are well known.

Nearly three-quarters of the top cyber attacks in 2016 targeted web browsers in drive-by download attacks where a user is tricked into clicking on a malicious pop-up, making browsers one of the biggest sources of security incidents and data breaches in organisations.

While email remains a component of many attacks, it is most often used to deliver URLs which lead to malicious or compromised websites, making the browsers themselves the primary attack vector.

Shift from email to web

As far back as 2013, threat researchers and security vendors noticed primary malware delivery methods were shifting from email-based to web-based. There are two primary reasons for this shift: the time difference between delivery and execution, and differing user experience expectations.

When delivered by email, a malicious attachment may not be opened for minutes, hours, days or longer. This time interval increases the chances of detection.

Conversely, web browsing is time-sensitive. Users do not tolerate delays when accessing online content, for example when downloading and reading a PDF. Since the exploit is often hosted, the attacker is also able to rapidly modify the exploit to evade detection, and can even go so far as to automate such modifications.

Third-party plugins

Third-party browser plugins only make securing browsers more complicated. A well-known example is Adobe Flash Player, which is still widely used for viewing multimedia and streaming video and audio in browsers despite its buggy nature: Flash provided six of the top 10 vulnerabilities used by exploit kits in 2016, according to a study by Recorded Future.

Functionality is always the primary goal of web browser designers and developers of browser plugins. Security, more often than not, is an afterthought.

Browser diversity

Gone are the days of a standard browser with a standard configuration on a standard enterprise-managed version of Windows. Not only are there multiple browser types, operating systems and plugins, but old versions of browsers are still required for compatibility in some cases, with Internet Explorer 7 persisting in many enterprises.

Asking one browser configuration to support all use cases and security requirements is a losing battle that compromises user experience, support and security.

The browser at the endpoint must be secure enough to protect the user, endpoint, enterprise and sensitive data. But at the same time, the reality is that the approach has to be flexible enough to support the competing demands of user experience and security control.

With 90% of undetected malware being delivered via web browsing, it is clear that attackers will continue to be relentless in their attempts to compromise organisations by targeting end user systems according to a whitepaper from Citrix.

Whether the attack is delivered by email or hosted on a website, ultimately the goal is to exploit a vulnerability in an application to gain a foothold on the target system. Leveraging vulnerabilities in web browsers and plugins is increasingly the favoured attack vector, and organisations should be aware of the options available to fully secure browsers.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

How to trust your inbox with Cloudflare Area 1
Whitepaper

How to trust your inbox with Cloudflare Area 1

19 Oct 2022
Best antivirus for Windows 10
antivirus

Best antivirus for Windows 10

13 Oct 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022