IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Three reasons why browsers are so difficult to secure

Over 70% of cyber attacks target web browsers. Here's why they're so difficult to secure

For organisations trying to balance web browser security with end user functionality, the cyber security issues affecting browsers are well known.

Nearly three-quarters of the top cyber attacks in 2016 targeted web browsers in drive-by download attacks where a user is tricked into clicking on a malicious pop-up, making browsers one of the biggest sources of security incidents and data breaches in organisations.

While email remains a component of many attacks, it is most often used to deliver URLs which lead to malicious or compromised websites, making the browsers themselves the primary attack vector.

Shift from email to web

As far back as 2013, threat researchers and security vendors noticed primary malware delivery methods were shifting from email-based to web-based. There are two primary reasons for this shift: the time difference between delivery and execution, and differing user experience expectations.

When delivered by email, a malicious attachment may not be opened for minutes, hours, days or longer. This time interval increases the chances of detection.

Conversely, web browsing is time-sensitive. Users do not tolerate delays when accessing online content, for example when downloading and reading a PDF. Since the exploit is often hosted, the attacker is also able to rapidly modify the exploit to evade detection, and can even go so far as to automate such modifications.

Third-party plugins

Third-party browser plugins only make securing browsers more complicated. A well-known example is Adobe Flash Player, which is still widely used for viewing multimedia and streaming video and audio in browsers despite its buggy nature: Flash provided six of the top 10 vulnerabilities used by exploit kits in 2016, according to a study by Recorded Future.

Functionality is always the primary goal of web browser designers and developers of browser plugins. Security, more often than not, is an afterthought.

Browser diversity

Gone are the days of a standard browser with a standard configuration on a standard enterprise-managed version of Windows. Not only are there multiple browser types, operating systems and plugins, but old versions of browsers are still required for compatibility in some cases, with Internet Explorer 7 persisting in many enterprises.

Asking one browser configuration to support all use cases and security requirements is a losing battle that compromises user experience, support and security.

The browser at the endpoint must be secure enough to protect the user, endpoint, enterprise and sensitive data. But at the same time, the reality is that the approach has to be flexible enough to support the competing demands of user experience and security control.

With 90% of undetected malware being delivered via web browsing, it is clear that attackers will continue to be relentless in their attempts to compromise organisations by targeting end user systems according to a whitepaper from Citrix.

Whether the attack is delivered by email or hosted on a website, ultimately the goal is to exploit a vulnerability in an application to gain a foothold on the target system. Leveraging vulnerabilities in web browsers and plugins is increasingly the favoured attack vector, and organisations should be aware of the options available to fully secure browsers.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022