February 11, 2006

real world browser threats

A recently released study, A Crawler-based Study of Spyware on the Web (PDF) conducted by Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy of the Department of Computer Science & Engineering at the University of Washington which crawled the web to determine threats facing Internet Explorer and Firefox found that "1.5% of the URLs we crawled in May exploited IE security flaws to install spyware without prompting the user. While this may seem like a small percentage, consider that 1 in 67 Web pages that we examined contained malicious content targeting browser flaws," while for Firefox "only 0.08% of examined URLs performed a drive-by download installation, but all of these required user consent in order to succeed. We found no drive-by attacks that exploited vulnerabilities in Firefox."

The lessons here are 1. don't run an unpatched browser, 2. unpatched IE is nearly 20 times more likely to be attacked out there on the web than unpatched Firefox, and 3. paying close attention to everything that happens when you surf is a good way to prevent attacks if you're a Firefox user while IE users really have no defenses since the attacks exploit holes in the unpatched browser that simply can't be avoided by paying close attention.

This study compared Firefox 1.0.6 to IE 6, then the latest two end user releases from Microsoft and Mozilla. Today, 1.0.6 is dated and Firefox 1.5, a major upgrade with many significant security improvements, is available for users. Unfortunately, IE 6, released way back in 2001, is still the best you can get from Microsoft.

Posted by asa at 7:59 AM