Russ Harvey Consulting - Computer and Internet Services

Web Security

Vulnerabilities in Internet Software

Browser Weaknesses | Email Weaknesses | Security Affects You

Web Browser Weaknesses

Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be intentionally or unintentionally dangerous.

Today's websites bring together information from many sources, many of which are often not controlled by the site owners. This increases the vulnerability to site visitors.

The fact that Internet Explorer warns you about the risks of running content located on your computer will tell that can also be unsafe. Since malware, spyware, viruses, etc. can assume the presence of Internet Explorer on any Windows system, they often call it directly (a major weakness in Windows) rather than requesting the default browser.

All Browsers Have Weaknesses

Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).

Which Browser Is the Most Secure?

This is not an easy question to answer as most studies are commissioned by the browser developer where tests will focus on the areas where their browser will perform the best.

During the 2011 hacker conference, Pwn2Own, hackers attacked four popular browsers: Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. The hackers were able to quickly compromise Internet Explorer and Safari. In fact, these hackers were able to hack the browsers so thoroughly that they managed to write files on the hard drive of the computer they were attacking. Interestingly (and contrary to the Accuvant study findings), Chrome and Firefox both resisted hacking attacks during the exercise. — ZoneAlarm blog, February 2012

Two years later, even Firefox showed that it could be vulnerable:

In a Fall 2013 poll, security-conscious browser users overwhelmingly voted Firefox as the most secure. But during the annual Pwn2own hacking contest in March 2014, Firefox was exploited four times with zero-day attacks, making it one of the least secure browsers. — ZoneAlarm blog, May 2014

So, no matter the browser you're using, you'll want to ensure that you've secured the browser the best you can. Here's five suggestions:

  1. Configure your browser's security and privacy settings.
  2. Keep your browser updated.
  3. Sign up for alerts.
  4. Be cautious when installing plug-ins.
  5. Install security plug-ins.

More details are on ZoneAlarm's May 2014 blog. Start here:

Update Your Browser

Download Firefox: Committed to you, your privacy and an open Web

Whether you use Firefox, Internet Explorer or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

  • They are more likely to have security concerns addressed.
  • Support for newer hardware and operating systems is usually only provided for current-level browsers.
  • The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
  • Users are driving demand for newer features which is unlikely to be added to older versions.

Firefox Rapid Deployment

In 2011, Firefox began a program of RapidRelease program. This meant relatively frequent updates (every six weeks) to new major versions of Firefox compared to other browsers.

While the rapid deployment of major upgraded to Firefox over the last while has been annoying, particularly for Firefox addon developers. Both Chrome and Internet Explorer use automatically update their browsers using methods that may be less noticeable than RapidRelease.

  • RapidRelease has also allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
  • Nightly builds allow developers to experiment with features without endangering the average user.
  • Problems noticed in any upgrade that couldn't be fixed with a minor release could be fixed within 6 weeks rather than a year or longer (as is typical of browser release schedules).

Better Encryption

Newer browsers also have 128-bit RSA encryption which provides better security than what was available in much older browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.

However, better encryption won't help if you use poor passwords and don't use security software like firewalls, antivirus and antispyware (often bundled together).

Browser Security Risks

Information is provided on known weaknesses of various web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.

Other Security Information

You may also wish to correct known potential security risks associated with various browsers found by other parties.

Older Browsers

While many of the issues with older browsers are intricate enough to only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.

Microsoft finally released a standards-compliant version of Internet Explorer (starting with version 8) which still has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers so I'd recommend leaving Compatibility View disabled if you are assessing the effectiveness of websites in order to fairly judge them.

Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.

Assessing Risks

The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.

Return to top

Email Weaknesses

Recommended Email Software

To avoid security issues with email software, download and use one of my recommended email programs or move to webmail (ensuring that your passwords are secure enough).

Outlook Problematic

There are security issues with all email programs but this is most pronounced in Outlook because Microsoft products are so tightly tied together.

Older Versions Less Safe

The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.

Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.

However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all, including Windows itself.

Reducing Your Risk

If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.

Supported Versions Only

Support for Office 2003 and earlier has expired.

Disable Windows Scripting Host

Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.


Use Secure Passwords

If you choose webmail, be sure to use unique secure passwords. Webmail accounts are accessible to anyone.

Choose Your Own Recovery Questions

The sorts of questions used for recovery of lost passwords are often posted by their users on Facebook and other social media sites without the owner realizing the risks.

Where possible, choose your own security questions so anyone attempting to hack your account by requesting a password reset will have a harder time obtaining the answers.

HTTPS Everywhere

HTTPS protocol is safer than the default HTTP.

Many privacy advocates like the Electronic Freedom Foundation have advocated HTTPS Everywhere for some time now.

Using HTTPS is strongly recommended for your webmail service, , particularly where you're sharing public Wi-Fi like in a coffee shop.

This added security is important wherever you're exchanging private information. Many sites use external resources like PayPal to process credit card information for exactly this reason.

Return to top
Updated: September 26, 2015

Vulnerabilities in Internet software.

Security Affects You

In the last 20 years websites have moved from “information sites” to e-commerce sites, many with content being imported from external sources.

Unlike dial-up, when you were only connected a few hours per month, broadband (always-connected) access has created the need to improve security.

There are serious flaws in some browsers, which is further aggravated by security holes in Windows and serious flaws in some websites.

Web browsers cannot protect you adequately unless you learn how to optimize their security settings and beef up security where needed.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!