October 31, 2019

Internet browsers are something most of us, and most employees, use every day. They are so ingrained in our daily activities that we might not instantly consider the cyberthreat they could pose to a business, being such familiar tools.

Of course, cybersecurity personnel must consider browser safety and likely advise against unauthorized plug ins and random browsing. But, these are not the only threats.

Google Chrome, Microsoft Internet Explorer, and Microsoft Edge fail browser audit

Germany’s cybersecurity agency, the German Federal Office for Information Security (BSI- Bundesamt für Sicherheit in der Informationstechnik), recently audited some of the most popular web browsers we use today. It tested Google Chrome, Microsoft Internet Explorer and Microsoft Edge, and Mozilla Firefox. Only Mozilla Firefox passed all its minimum cybersecurity requirements. This according to reporting by ZDNet.

According to TechAdvisor Google Chrome is utilised by 55% of internet users, Microsoft Internet Explorer and Microsoft Edge combined by 8.6% of users, and Mozilla Firefox by 6.5% of users. Browsers like Opera and Brave are also growing in popularity but have far less users than Firefox.

So, Google and Microsoft’s failure to pass could be concerning. The versions assessed were Mozilla Firefox 68, Google Chrome 76, Microsoft Internet Explorer 11 and Microsoft Edge 44. They were benchmarked against the BSI’s guidelines for “modern secure browsers” published this September. These criteria have been updated to account for improved security measures including telemetry handling and improve certificate handling mechanisms and other technical features.

ZDNet lists all the BSI’s criteria here. What’s notable is where Google Chrome, Microsoft Internet Explorer (IE) and Microsoft Edge fall down which includes:

  • Lack of support for a master password mechanism (Chrome, IE, Edge)
  • No built-in update mechanism (IE)
  • No option to block telemetry collection (Chrome, IE, Edge)
  • No SOP (Same Origin Policy) support (IE)
  • No CSP (Content Security Policy) support (IE)
  • No SRI (Subresource Integrity) support (IE)
  • No support for browser profiles, different configurations (IE, Edge)
  • Lack of organizational transparency (Chrome, IE, Edge)

Lack of automatic software updates requires attention by businesses

Probably the most concerning on this list from a business cybersecurity perspective is Microsoft Internet Explorer’s lack of built in updates. Arguably IE could be used by more businesses than consumers as businesses are more likely to be regular users of Microsoft Office. It’s a thought and you’ll know if you are using IE within your company. It’s also an illustration that consistent manual checks that day to day software is running at its very latest version are critical.

Why is using the latest software version important?

Good software developers are constantly adjusting and improving software in response to technological changes, threats, and newly identified vulnerabilities. For this reason, it’s vital that companies consistently check for and utilise updates. Though many platforms will notify users when a new software update is available, and others offer automatic updates businesses should not rely on these factors. Software updates “repair security holes,” fix and remove “bugs,” and remove outdated features, writes Symantec’s Steve Symanovich for Norton who adds:

“While you’re at it, it’s a good idea to make sure your operating system is running the latest version.”

Cybercriminals are known to write code and target malware to software vulnerabilities they identify. Developers have to keep ahead of the curve, and software users need to follow.  This malware can infect a computer through a website, a compromised email, or even playing infected media, and lead to company-wide breaches and data theft.

There is another benefit of regularly updating software too, and that’s new features. Symanovich writes:

“Software updates really are all about you. Your software program may get a new shot of stability — no more crashing. Or an update might boost program performance — more speed. You deserve no less.”

That said, the most important thing for corporate cybersecurity is the patches contained in updates to fix those pesky vulnerabilities so often responsible for successful cyberattacks. And, it’s not just browsers that need to be updated but every type of software that runs on a computer or network including network tools and basic applications.

The SSL Store wrote earlier this year:

“Web applications — everything from calculators and Google docs to webmail platforms and dynamic websites — are vulnerable to a variety of attack methods such as SQL injections, formjacking, and brute force attacks.”

It also quotes an Imperva report which illustrates the growing problem of software vulnerabilities:

“The overall number of vulnerabilities in 2018 (17,308 increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615)… more than half of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.”

TrustWave says the two most popular types of cyber attack on web applications, cross-site scripting (XSS) and SQL injections, are responsible for 40% and 24% of attacks respectively.

We would hope that Microsoft, Google, and Mozilla are on top of their browser vulnerabilities, at least as much as they can be in a world of constantly developing technology and digital threats.

For businesses, keeping on top of software updates and constantly checking system vulnerabilities is essential.

– Engage your staff with scenario-based security awareness training or “In-the-Moment” training.

Interested in learning more about how security awareness training can help your organisation? Sign up for a free demo of the world’s most interactive security awareness training.

Share this: