The new browser security landscape

Brian Krebs came across one of those websites throwing a battery of exploits at users and took a close look at its administration page. It lists seven exploits, the two most successful ones being for Adobe Reader and Java, followed by two Internet Explorer exploits. At the far end of the list two Firefox exploits can be found as well. From what I understand, only one Adobe Reader vulnerability was unpatched at that time, all other vulnerabilities have been fixed already. For example, the Java exploit targets a security hole that was closed in December 2008, the exploited Firefox vulnerabilities have been closed in Firefox 1.0.5 and respectively.

So, were the bad guys successful exploiting these ancient vulnerabilities? Looks like it, the Java exploit and the exploit for a 2007 Internet Explorer issue caused quite a few infections. If we look at how the browsers “performed”, we see that roughly 17% of Internet Explorer users were infected. Not very surprising, the infection rate of Internet Explorer 6.0 users was almost twice as high as for Internet Explorer 7.0 users, the infection rate for Internet Explorer 8.0 was even lower then. Clearly, people still using IE6 are unlikely to keep up with patches.

What might be more surprising is the fact that other browsers aren’t that different. Chrome has an infection rate of 13%, Opera 21% (!), Safari 20%. None of these browsers was targeted directly by an exploit, each exploitation happened through plugins. While the numbers for Chrome and Safari aren’t statistically significant, Opera’s numbers are and seem to indicate that Opera users often consider themselves safe by using a minority browser and forget to update plugins. Side note: in a comment Brian links to a post indicating that an exploit targeting Opera is indeed part of this exploit pack. However, the vulnerability in question is so old that it apparently was never exploited which is why this exploit doesn’t show up in the list.

The numbers for Firefox are odd. According to the statistics, only 10 Firefox installations have been successfully exploited, four of those by using the ancient security vulnerabilities mentioned above (three Firefox 1.0 users and one Firefox 1.5 user). With the total number of Firefox visits way above 10,000 this gives an infection rate below 0.1% – makes no sense. While I would love to congratulate Firefox developers on a job well done, most infections happened through plugins and is somebody running Firefox 2.0 that likely to have up-to-date plugins installed? I discussed some possible explanations with Brian in the comments but the most likely still seems to be a programming error: either the exploit pack fails to run all exploits in Firefox or it fails to register a successful exploitation of a Mozilla-based browser. Anybody have a better explanation?

What’s the conclusion? If you ignore the strange Firefox numbers, it seems to make less difference these days which browser you run, browser vulnerabilities are no longer a top target. However, it is critical that you plugins are up-to-date. Firefox 3.6 helps here, Secunia’s Personal Software Inspector does as well. And going to Tools / Add-ons / Plugins and disabling all plugins that you don’t need keeps you even safer (I only have Mozilla Default Plugin and Flash enabled). Finally, sandboxing of plugins in the browser (out of process plugins) will hopefully eliminate a large part of the attack surface here (Chrome is already doing that, Firefox nightlies are testing that feature as well).


  • David Naylor

    How come so many Chromes are infected if Chrome is sandboxing out plugins?

    Wladimir Palant

    Sandboxing won’t prevent malware code from running (which is what is being counted there) – but it will hopefully prevent it from changing the system in any way, so that code will be gone once you close the browser. On the other hand, maybe it is simpler and Erunno is right – I’m not sure whether Chrome is sandboxing plugins, I just thought that I read this somewhere.

  • Erunno

    @David Naylor

    Chrome does not currently use sandboxing for plug-ins for comparability reasons.

  • pirlouy

    I use the same plugins. But I have just discovered e new (recent) one: “NVidia 3D Vision”. And NVidia drivers have not asked me to install this plugin… :/
    Since numbers of users, it could be exploited in a certain future…

    Wladimir Palant

    Right, I had this “NVidia 3D Vision” installed as well together with the drivers, not sure whether I forgot to remove a check somewhere – I uninstalled it completely via Control Panel. Unfortunately, it’s not common to ask before installing browser plugins…

  • emmanuel

    yes my understanding is that chrome plugin separation only helps to reduce browser crashes when the plugins fail.
    from a security point of view it solves nothing for now, the plugins are still wide open.

    i read that they tried and failed to reduce the privileges, then the plugins would not work in a useful way anymore.

  • Erunno


    According to this document you have to use a specific command line switch (—safe-plugins) in order to enable sandboxing for plug-ins. It also matches what I’ve read at the Chromium newsgroup a couple of months ago where this very issue was discussed with a concerned user. If my memory doesn’t fail me plug-ins are problematic to properly sandbox because they all have their own software stack for OS level access (e.g. networking) and Google could not until now not eliminate all incompatibilities.

    Wladimir Palant

    Too bad, I hope we will still see this turned on by default eventually.

  • Andreas Wuest

    Browsers could try to alleviate the problem of “automatic” plugin (and in case of Firefox add-on) installation by disabling any plugin that is not whitelisted by the browser by default, and then present the user with UI to ask if the plugin should be enabled, every time it detects a new plugin.

    The UI for this would be tricky (because users often don’t have more information than the plugin name — which can be quite cryptic), but it could be a first step. I could also imagine a situation where future plugins would be required to carry more metadata (vendor, description, signing information) to be considered compatible by a browser at all.

    It pains me that after every software installation, I have to check in my browser if an unwanted plugin was installed as a side-effect.

  • Nathaniel Kofalt

    In my opinion, it’s pretty clear from events like Microsoft’s Mozilla plugin fiasco that ideas like Andreas’ need to be realized (restricting new plugins until the user whitelists them), and it is also clear that plugins can no longer be allowed to run on the host machine without some form of sandboxing. But the problem may be less getting browsers to implement these features (Erunno noted one way for Chrome to sandbox already) and more getting plugins to play nice with this new security model.

    As Erunno pointed out, plugins are not designed to be secured nicely in a box, asking father for permission to play outside; they are designed to be in absolute control of their own operations, running their own processes, etc. This works great for functionality, not so great for security. I would suggest that moving from one method to the other will be difficult or impossible to achieve in practice. In an ideal world, a browser could provide a framework for disk I/O, network access, and update checks that every plugin must use, but who would bother adapting their plugins? The cat is already out of the bag – plugins are running free. It is hard to take that privlage away.

    Plugin distributors today hold ultimate power over any browser. If your browser can’t run Java, nobody will use it. If it can’t run Flash, nobody will use it. Taking away plugin control won’t be happening anytime soon, and stuffing them in a box is difficult. Hopefully as HTML5 matures, plugins will see enough competition that this becomes less painful.

  • ecjs

    From my user’s view, Adobe Flash and Sun Java plugins have already managed to make updates far easier. Yet I have still got problems with the Adobe PDF plugin.

    Wladimir Palant

    Last time I upgraded Java it again tried to install some crap on my machine, some toolbar if I remember correctly. This was a few months ago (I don’t have it installed any more). Did something change? And do the updates install with a single click (or even fully automatically) these days without having to answer questions you already answered before?

  • Nathaniel Kofalt

    @Wladimir’s reply to #8:

    The default JRE downloads will try to install a Java update scheduler, among other annoyances. The downloads from the developer center don’t tend to have that extra stuff packaged.

  • Alan Baxter

    @Wladimir’s reply to #8:

    I just used the Java Control Panel Update to update from Java 6u17 to 6u18. It offered me the Yahoo Toolbar, and permission for it to be installed was checked by default. Same as last time. It should at least be unchecked by default.

    If I recall correctly, I clicked only once or twice during the install. One of those times to uncheck Yahoo Toolbar and click Next. So no, the updates aren’t fully automatic yet. They have to at least give you a chance to uncheck the Yahoo Toolbar, otherwise Sun has no plausible deniability. :)

    Wladimir Palant

    Actually, that’s at least three clicks – one click to open the update notification, one to uncheck Yahoo Toolbar, one to confirm update. But if it is really only that then it isn’t as bad as I remember. I searched and shows the process as I remember it – clicking “Install” only downloads and starts Java’s usual installer meaning a wizard that requires your full attention and at least four clicks at the various stages of the installation.

  • ecjs

    Oops, I was mistaken. I use some kind of user-friendly software updater, which explains the difference I said I feel now.

  • Sandra

    This is great input: but I do not have the Java Control Panel in my Control Panel under Programs/Features or in the Additional Options for my laptop, but I do for the desktop. On the laptop it will not open from the Start Menu when I search and find it, it just opens the Java File location under Systems 32.

    On the desktop I open Java Control Panel and select Advanced and want it to default to Firefox as my default browser but it has Internet Explorer checked and grayed out so I cannot make Mozilla the default. If I mark it and do not hit OK and just keep it open all the time I am online I guess both are active, who knows?

    I even took IE off the computer, do not need both anyway, and it still doesn’t work. So what works for some is apparently not working for all. I have also uninstalled and reinstalled Java several times cleaning the computer of any JRE pieces. Using Windows Uninstaller Cleaner and cleaning the registry. It is very annoying and if you cannot pay $59.99 for 30 minutes of help, no guarantees it is fixed in 30 minutes, then you are on your own and thank goodness we find sites/blogs that can sometimes help us out.

    Addressing this statement: “And going to Tools / Add-ons / Plugins and disabling all plugins that you don’t need keeps you even safer (I only have Mozilla Default Plugin and Flash enabled).” I also checked this out and Flash is not listed for me to enable. When I go to Add Plugins and look in the online list it states my Shockwave Flash is up to date.

    When I go to Java to have the site check to see if I have Java, it tells me I don’t or that I have below 1.?. I immediately go to the link, on same screen, that lets you test it and it displays animation and states I have the latest at 6 Update 18. It cannot be both ways.

    So overall it seems to vary from user to user. Would be great to have consistency with software companies playing nice with one another again. I recently left IE for Firefox but had these issues with Java and Adobe Flash Player not being in Additions (Plugs) on IE as well as the other issues I still have in Firefox. It is exhausting and time consuming to try to work all this out everytime you buy new software, make a software change or just use your computer. I no longer know what to do so am giving it up and hope they both just keep running and no crashes but would welcome less errors, etc.

    If anyone has had any of these issues and the problem lies with me, just tell me, I am happy to resolve it even if this is something stupid I did or do not know. I use Windows Vista Home Premium and connect with DSL, or with laptop wireless connection is used.