Three reasons why browsers are so difficult to secure

Over 70% of cyber attacks target web browsers. Here's why they're so difficult to secure

For organisations trying to balance web browser security with end user functionality, the cyber security issues affecting browsers are well known.

Nearly three-quarters of the top cyber attacks in 2016 targeted web browsers in drive-by download attacks where a user is tricked into clicking on a malicious pop-up, making browsers one of the biggest sources of security incidents and data breaches in organisations.

While email remains a component of many attacks, it is most often used to deliver URLs which lead to malicious or compromised websites, making the browsers themselves the primary attack vector.

Shift from email to web

As far back as 2013, threat researchers and security vendors noticed primary malware delivery methods were shifting from email-based to web-based. There are two primary reasons for this shift: the time difference between delivery and execution, and differing user experience expectations.

Advertisement - Article continues below
Advertisement - Article continues below

When delivered by email, a malicious attachment may not be opened for minutes, hours, days or longer. This time interval increases the chances of detection.

Conversely, web browsing is time-sensitive. Users do not tolerate delays when accessing online content, for example when downloading and reading a PDF. Since the exploit is often hosted, the attacker is also able to rapidly modify the exploit to evade detection, and can even go so far as to automate such modifications.

Third-party plugins

Third-party browser plugins only make securing browsers more complicated. A well-known example is Adobe Flash Player, which is still widely used for viewing multimedia and streaming video and audio in browsers despite its buggy nature: Flash provided six of the top 10 vulnerabilities used by exploit kits in 2016, according to a study by Recorded Future.

Functionality is always the primary goal of web browser designers and developers of browser plugins. Security, more often than not, is an afterthought.

Browser diversity

Gone are the days of a standard browser with a standard configuration on a standard enterprise-managed version of Windows. Not only are there multiple browser types, operating systems and plugins, but old versions of browsers are still required for compatibility in some cases, with Internet Explorer 7 persisting in many enterprises.

Asking one browser configuration to support all use cases and security requirements is a losing battle that compromises user experience, support and security.

Advertisement - Article continues below

The browser at the endpoint must be secure enough to protect the user, endpoint, enterprise and sensitive data. But at the same time, the reality is that the approach has to be flexible enough to support the competing demands of user experience and security control.

With 90% of undetected malware being delivered via web browsing, it is clear that attackers will continue to be relentless in their attempts to compromise organisations by targeting end user systems according to a whitepaper from Citrix.

Whether the attack is delivered by email or hosted on a website, ultimately the goal is to exploit a vulnerability in an application to gain a foothold on the target system. Leveraging vulnerabilities in web browsers and plugins is increasingly the favoured attack vector, and organisations should be aware of the options available to fully secure browsers.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020
web browser

Microsoft developer declares it's time to ditch IE for Edge

23 Jan 2020