informa
4 min read
Commentary

Why Browser Vulnerabilities Are a Serious Threat — and How to Minimize Your Risk

As a result of browser market consolidation, adversaries can focus on uncovering vulnerabilities in just two main browser engines.

Everyone uses browsers to access a wide range of networked systems, from shopping sites to enterprise management. As a result, browsers collect tons of sensitive information — from passwords to credit card data — that hackers are eager to get their hands on.

Moreover, browser vendors frequently add new features, which increases the risk of flaws in program code that hackers can exploit. And even though there seem to be a lot of different Web browsers, there are actually just two open source browser engines. Chrome, Vivaldi, Brave, and many other browsers are all built on the same engine, Chromium.

Even Microsoft killed Internet Explorer in 2021 and switched to Chromium with Edge. The only surviving alternative to Chromium is Mozilla Firefox, which uses a different engine; all the other browsers are proprietary corporate tools like Apple Safari. As a result of this consolidation, adversaries can closely focus on undercovering the vulnerabilities in the two browser engines.

The Latest Critical Web Browser Vulnerabilities
Every month, we see myriad serious new Web browser vulnerabilities. In the first half of 2022, Chrome has announced three zero-day vulnerabilities. By exploiting CVE-2022-0609, hackers can corrupt data and execute code on vulnerable systems. CVE-2022-1096, which was discovered in the wild, affects the JavaScript V8 engine. CVE-2022-1364, which was also discovered in the wild, can be exploited to trigger remote code execution on a targeted system, and affects not just the nearly 3 billion users of Chrome, but also everyone using any other Chromium-based browser.

Mozilla is not immune from vulnerabilities, either. So far in 2022, we've seen CVE-2022-22753, a high-severity vulnerability that can enable an adversary to get admin rights in Windows; CVE-2022-22753, which could be abused to gain access to an arbitrary directory; and CVE-2022-1802 and CVE-2022-1529, which could be exploited to enable JavaScript code execution.

The problem is not just serious but growing: In the first quarter of 2022 alone, Chrome fixed 113 vulnerabilities, 13% more than in the same period in 2021, while Firefox fixed 88 vulnerabilities, a 12% jump from the first quarter of 2021. These increases make browsers a top target for hackers.

How Hackers Attack Browsers
Hackers use multiple techniques to exploit browser vulnerabilities. Occasionally, they will discover a vulnerability that enables them to download and execute malicious code when a user simply visits a compromised site. From there, the code can download other malicious packages or steal sensitive data. Plug-ins are a common vector for these "drive-by download" attacks.

A more common tactic, however, is for hackers to send phishing emails that contain exploit kits targeting Web browsers. Indeed, Cisco's 2021 cybersecurity threat trend report found that about 90% of data breaches were due to phishing. A person clicks on a link in a phishing email, which opens a malicious page in their browser, which can exploit an unpatched vulnerability in the browser to deploy malware or steal data stored in the browser. For example, Magnitude actively targeted Chromium in October 2021.

Strategies to Mitigate Risk From Browser Vulnerabilities
Organizations should combine multiple techniques to reduce their risk from browser vulnerabilities. The first is to keep all browsers updated. However, patching browsers can be problematic. Research shows that 83% of users run versions of Chrome that are vulnerable to zero-day attacks that have already been identified by Google. One reason is simply that many users do not like rebooting their browsers, which is often required as part of an update.

Another barrier to patching is that many people install browsers under their user profiles, into folders that system administrators cannot access without special tools. To overcome these issues, automate patching for third-party apps, including browsers; ensure your IT teams can force reboots remotely in a way that is convenient to end users; and manage applications installed under user profiles.

The second measure is to enforce multifactor authentication (MFA) on all critical systems and services. That way, hackers will be unable to access those resources even if they manage to steal a user's credentials.

Third, regularly clear the browser history on users' machines to erase stored passwords, and to clear their cookies as well, since they can enable attackers to access services such as email without the user's credentials. Ensure your IT teams can perform these tasks remotely and, ideally, automate them.

Fourth, remember the human factor. Be sure to roll out an extensive cybersecurity awareness program that educates all your users about security best practices and why they should follow them. In particular, teach them how to spot phishing emails and why to avoid using browser plug-ins or extensions, especially those that don't receive regular updates. In addition, train them to choose strong and unique passwords for each website they visit and not to store passwords in their browsers; to facilitate this, give them a password management app.