Pages

Thursday, July 26, 2012

(Un)Safe Surfing?

Nowadays a lot of popular web browsers support auto update, but a very significant part of browser plug-ins should be updated individually. A huge number of users do it very rarely without having any idea that in majority of cases not only browsers but plug-ins also can be attacked.

Interesting statistics obtained as a result of browser and plug-in security testing by the online service SurfPatrol in 2011 is under the cut.

Here we go
Platforms under test: Windows, MacOS, Android, and iOS.

Browsers under test: IE 6+, Safari 3+, Firefox 1+, Chrome (all versions), Opera 9.5+, Opera Mini, Android Browser, Mobile Safari, and Opera Mobile.

SurfPatrol identifies both the browser and the whole list of plug-ins, including: .Net Framework, Adobe Flash Player, Adobe Reader Plugin, Foxit Reader Plugin, Java Deployment Toolkit, Microsoft DirectX, Microsoft Office 2003, Microsoft Office 2007, Microsoft Office 2010, Microsoft Office Visio 2003 Viewer, Microsoft Silverlight, Microsoft XML Core Services 3.0, Microsoft XML Core Services 4.0, Microsoft XML Core Services 6.0, QuickTime Plugin, Real Player, SAP Component, Shockwave for Director, Sun Java, VideoLan VLC Media Player, Windows Media Player.

Testing component is deemed vulnerable, if an unfixed vulnerability is detected (update or patch hasn't been installed or released yet).

So 89% of web browsers contained at least one vulnerability (in the browser itself or its plug-ins), and more than 3 vulnerabilities were detected in almost half of all cases.


The majority of tests for Android devices was performed for the version 2.3 (62%), and the most popular browser of this platform (Android Browser) contained vulnerabilities in 73% of cases. Vulnerabilities on the iOS platform were detected in 39% of cases, (the fourth version of the platform, so popular at that moment, was tested most frequently). MacOS appeared to be vulnerable in the overwhelming majority of cases (approximately 91%). Testing results of Safari and Chrome on MacOS v.10.7.2 stood out of the general statistics — vulnerabilities were detected in 70% of cases.

Due to the fact that Windows is the most common platform, it was submitted to testing much more often than other platforms. Optimism was instilled by the percentage of vulnerabilities detected in Windows 7 (the latest at that moment version), which decreased, though insignificantly, in comparison with previous versions.
However, the combination ‘browser + plug-ins’ on the Windows platform appeared to be the most vulnerable for Chrome and IE in 75% and 79% of cases respectively.

How guilty are the browsers themselves? All in all the percentage of vulnerabilities detected in the browsers (excluding plug-ins) on all platforms is as follows: IE – 62%, Chrome – 30%, Firefox – 22%, Safari – 21%, Opera – 17%.

And the following diagram shows the percentage of tests that revealed vulnerabilities in the most common plug-ins (in relation to the number of all tests):


Conclusion

9 of 10 web users are exposed to cyberattacks. Even if you use the latest version of your browser, a simple breach in any plug-in may destroy all efforts to ensure security.

Safety of web surfing may be improved not only by means of implementing compulsory auto update of browsers and plug-ins, but by increasing user awareness of threats, attacks, and protection methods, and also by promoting Internet hygiene comprehensively.

By the way, you can check, how safe your web surfing is, right now =)

You're welcome to write us in case of any questions.

2 comments: