Web Security

Vulnerabilities in Internet Software

Web Browser Weaknesses | Email Weaknesses
More About Security Issues

Web Security Affects You

Web security is not a new issue, but in the last 20 years websites have moved from “information sites” to e-commerce sites with content being imported from several external sources. Unlike the old days of dial-up, when you were only connected a few hours per month, broadband (always-connected) access has created the need to improve security. There are serious flaws in some browsers, which is further aggravated by security holes in Windows.

While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril. Web browsers cannot protect you adequately unless you learn how to optimize their security settings and add security where needed.

Security Weaknesses in Web Browsers

Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be intentionally or unintentionally dangerous. Today's websites bring together information from many sources which are not controlled by the site owners and this provides a vulnerability to site visitors.

The fact that Internet Explorer warns you about the risks of running content located on your computer will tell that can also be unsafe. Since malware, spyware, viruses, etc. can assume the presence of Internet Explorer on any Windows system, they often call it directly rather than requesting the default browser.

Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).

Which Web Browser Is the Most Secure?

This is not an easy question to answer as most studies are commissioned by the browser developer where tests will focus on the areas where their browser will perform the best.

During the 2011 hacker conference, Pwn2Own, hackers attacked four popular browsers: Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. The hackers were able to quickly compromise Internet Explorer and Safari. In fact, these hackers were able to hack the browsers so thoroughly that they managed to write files on the hard drive of the computer they were attacking. Interestingly (and contrary to the Accuvant study findings), Chrome and Firefox both resisted hacking attacks during the exercise.
— ZoneAlarm blog, February 2012

Update Your Browser

Whether you use Firefox, Internet Explorer or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

They are more likely to have security concerns addressed.
Support for newer hardware and operating systems is usually only provided for current-level browsers.
The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
Users are driving demand for newer features which is unlikely to be added to older versions.

Firefox Rapid Deployment

In 2011, Firefox began a program of RapidRelease program. This meant relatively frequent updates (every six weeks) to new major versions of Firefox compared to other browsers.

While the rapid deployment of major upgraded to Firefox over the last while has been annoying, particularly for firefox addon developers. Both Chrome and Internet Explorer use automatically update their browsers using methods that may be less noticable than RapidRelease.

RapidRelease has also allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
Nightly builds allow developers to experiment with features without endangering the average user.
Problems noticed in any upgrade that couldn't be fixed with a minor release could be fixed within 6 weeks rather than a year or longer (typical of browser release schedules).

Better Encryption

Newer browsers also have 128-bit RSA encryption which provides better security than what was available in much older browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.

However, better encryption won't help if you use poor passwords and don't use security software like firewalls, antivirus and antispyware (often bundled together).

Internet Explorer 6 Obsolete

IE 6 Isn't Safe

In 2009, the 14% using Internet Explorer 6 were holding back development of the Web because developers were spending a disproportionate amount of time catering to the special requirements to make IE 6 display properly. Since then, IE6 usage has declined rapidly — reported at a much-reduced 0.2% as of March, 2013 (total IE usage reported at 13% of all browsers) — so many developers no longer bother to support it.

Browser-Security Risks

Check for Security Updates

Information is provided on known weaknesses of various web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.

Check for Internet Explorer Security Bulletins for news about flaws.
Check the Security Updates for Mozilla Products including Firefox and Thunderbird.
Check for Security, Privacy and Cookies in Opera.

Other Security Information

You may also wish to correct known potential security risks associated with various browsers found by other parties.

Secunia Research's Online Software Inspector checks for vulnerability in a number of programs including common browsers and email programs. Offline Personal and Corporate Software Inspectors are available.

Older Browser Issues

While many of the issues with older browsers are intricate enough to only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.

Microsoft finally released a standards-compliant version of Internet Explorer (starting with version 8) which still has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers so I'd recommend leaving Compatibility View disabled if you are assessing the effectiveness of websites in order to fairly judge them.

Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.

Assessing Your Risk

The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.

Qualys will check your browser for vulnerabilities.
Check to see if your Firefox plugins are up to date.

Return to top

Security Weaknesses in Email Programs

Recommended Email Software

To avoid security issues with email software, download and use one of my recommended email programs or move to webmail (ensuring that your passwords are secure enough).

Outlook & Outlook Express Are Problematic

There are security issues with all email programs but this is most pronounced in Outlook and Outlook Express because Microsoft products are so tightly tied together.

Outlook Express Obsolete

Because Outlook Express is pre-installed in Windows XP many users continue to use it. Outlook Express is an obsolete legacy of Internet Explorer 6 for which Microsoft has ceased development and support.

No Native Email Program for Windows 7

There is no native email program for Windows 7 (Vista has Windows Mail) so you need to use webmail or find a new email program.

Outlook — It Depends

The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.

Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.

However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all — including Windows itself.

Webmail

If you choose webmail, be sure to use unique secure passwords.

Webmail accounts are accessible to anyone.
The sorts of questions used for recovery of lost passwords are often posted by their users on Facebook and other social media sites without the owner realizing the risks.
Write your own security (recovery) question, if possible.

Reducing Your Risk If Using Outlook

Ensure Outlook is Being Updated

If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.

Keep your computer updated by using Microsoft Update.
Support availability for Office 2003 and Office 2000 indicates that Office 2000 support has ended and Office 2003 extended support ends April 8, 2014.
The Office family product support lifecycle FAQ indicates when each version of Office (and therefore Outlook) loses support from Microsoft.

Disable Windows Scripting Host

Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

Securing Your Computer

The following related pages offer more information about securing your computer:

Return to top

www.RussHarvey.bc.ca/resources/websecurity.html
Updated: January 15, 2014