Computing Tips: Understanding the Web browser threat and the “Insecurity Iceberg”

In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site.

Attacks against Web browsers depend upon malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.)

Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers.

Profit motivated cyber-criminals have rapidly adopted Web browser exploitation as a key vector for malware installation. Due to the methodology of exploiting Web browser vulnerabilities and the unpredictable browsing patterns of typical users, for widespread infection of vulnerable hosts the criminals must seed a mix of popular and high-traffic websites, or incentivize users through email spam, with URLs directing potential victims to Web servers hosting their malicious content. The former method is commonly known as drive-by download, where drive-by refers to the fact that Web browsers must initially navigate to a malicious page and download refers to the covertly downloaded and executed malware – typically trojans.

Insecurity Iceberg

Insecuty IcebergFigure 1: The Web browser Insecurity Iceberg represents the number of Internet users at risk because they don’t use the latest most secure Web browsers and plug-ins to surf the Web. This paper has quantified the visible portion of the Insecurity Iceberg (“tip of the iceberg” – above the waterline) using passive evaluation techniques – which amounted to more than 600 million users at risk not running the latest most secureWeb browser version in June 2008.

As popularity of this attack vector has blossomed, there have been frequent reports of hundreds of thousands of Web sites succumbing to mass-defacement – where the defacement often consists of an embedded iframe. These iframes typically include content from servers hosting malicious JavaScript code designed to exploit vulnerabilities accessible through the user’s Web browser and subsequently to initiate a drive-by malware download. These mass-defacements cause once-benign sites to turn against their visitors. Even pages owned by institutions like the United Nations (, the UK government ( and many others have succumbed to such attacks.

In 2007, Google uncovered more than three million malicious Web addresses (URLs) that initiate drive-by downloads.

The analysis presented in this paper is based on the large global user base of Google’sWeb search and application sites. By measuring the lower bounds of insecure Web browsers used to daily surf the Internet, we provide new insights into the global vulnerable Web browser problem. To capture the extent of this security problem, we introduce the notion of the “Insecurity Iceberg” (see Figure 1) and estimate the number of users worldwide relying on a Web browser version different from the latest most secure version or vulnerable plug-ins, which could result in a host compromise.

Following this detailed analysis, we identify and discuss a number of current and future protection technologies that can help mitigate the escalating threat to vulnerable Web browsers.

Read more …

Click here to see more Computing Tips from the AmCham Webmaster.

Click the logos below to download Firefox, Internet Explorer, or Safari for Windows XP, Vista, or Mac.

Firefox 2Windows Internet Explorer 7

Safari 3 for Windows PC and Mac