Vulnerabilities in Internet Software
Web Security Affects You
Web security is not a new issue, but in the last 20 years websites have moved from “information sites” to e-commerce sites with content being imported from several external sources. Unlike the old days of dial-up, when you were only connected a few hours per month, broadband (always-connected) access has created the need to improve security. There are serious flaws in some browsers, which is further aggravated by security holes in Windows.
While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril. Web browsers cannot protect you adequately unless you learn how to optimize their security settings and add security where needed.
Security Weaknesses in Web Browsers
Web browsers by their very nature are susceptible to security weaknesses. While visiting sites on the Web you are exposed to scripts and more that can be intentionally or unintentionally dangerous. Today's websites bring together information from many sources which are not controlled by the site owners and this provides a vulnerability to site visitors.
The fact that Internet Explorer warns you about the risks of running content located on your computer will tell that can also be unsafe. Since malware, spyware, viruses, etc. can assume the presence of Internet Explorer on any Windows system, they often call it directly rather than requesting the default browser.
Web browsers all have some weaknesses and design issues. The severity can be aggravated by how frequently updates are provided to resolve security and other problems as well as how tightly the browser has been tied into the operating system or used for other purposes such as installing software (primarily but not uniquely an issue with Internet Explorer).
Which Web Browser Is the Most Secure?
This is not an easy question to answer as most studies are commissioned by the browser developer where tests will focus on the areas where their browser will perform the best.
During the 2011 hacker conference, Pwn2Own, hackers attacked four popular browsers: Internet Explorer, Apple Safari, Mozilla Firefox, and Google Chrome. The hackers were able to quickly compromise Internet Explorer and Safari. In fact, these hackers were able to hack the browsers so thoroughly that they managed to write files on the hard drive of the computer they were attacking. Interestingly (and contrary to the Accuvant study findings), Chrome and Firefox both resisted hacking attacks during the exercise.
— ZoneAlarm blog, February 2012
Update Your Browser
Whether you use Firefox, Internet Explorer or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:
- They are more likely to have security concerns addressed.
- Support for newer hardware and operating systems is usually only provided for current-level browsers.
- The more recent a browser, the more likely it is that it will display recent websites as the designer intended.
- Users are driving demand for newer features which is unlikely to be added to older versions.
Firefox Rapid Deployment
In 2011, Firefox began a program of RapidRelease program. This meant relatively frequent updates (every six weeks) to new major versions of Firefox compared to other browsers.
While the rapid deployment of major upgraded to Firefox over the last while has been annoying, particularly for firefox addon developers. Both Chrome and Internet Explorer use automatically update their browsers using methods that may be less noticable than RapidRelease.
- RapidRelease has also allowed for the integration new security and technology improvements without an all-or-nothing risk at any stage.
- Nightly builds allow developers to experiment with features without endangering the average user.
- Problems noticed in any upgrade that couldn't be fixed with a minor release could be fixed within 6 weeks rather than a year or longer (typical of browser release schedules).
Newer browsers also have 128-bit RSA encryption which provides better security than what was available in much older browsers. Most financial institutions will insist on this level of encryption before you can use their on-line services.
Internet Explorer 6 Obsolete
IE 6 Isn't Safe
In 2009, the 14% using Internet Explorer 6 were holding back development of the Web because developers were spending a disproportionate amount of time catering to the special requirements to make IE 6 display properly. Since then, IE6 usage has declined rapidly — reported at a much-reduced 0.2% as of March, 2013 (total IE usage reported at 13% of all browsers) — so many developers no longer bother to support it.
Check for Security Updates
Information is provided on known weaknesses of various web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.
- Check for Internet Explorer Security Bulletins for news about flaws.
- Check the Security Updates for Mozilla Products including Firefox and Thunderbird.
- Check for Security, Privacy and Cookies in Opera.
Other Security Information
You may also wish to correct known potential security risks associated with various browsers found by other parties.
- Secunia Research's Online Software Inspector checks for vulnerability in a number of programs including common browsers and email programs. Offline Personal and Corporate Software Inspectors are available.
Older Browser Issues
While many of the issues with older browsers are intricate enough to only interest website designers and browser technicians, older browsers will often incorrectly display newer websites, if they can display them at all.
Microsoft finally released a standards-compliant version of Internet Explorer (starting with version 8) which still has the ability to view older sites as intended using Compatibility View. These only work with sites built to look good in Internet Explorer at the expense of other browsers so I'd recommend leaving Compatibility View disabled if you are assessing the effectiveness of websites in order to fairly judge them.
Even if you are willing to put up with increasing difficulties with display issues, you cannot continue to ignore the security risks of using older, unpatched browsers.
Assessing Your Risk
The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files even if prompted to do so.
- Qualys will check your browser for vulnerabilities.
- Check to see if your Firefox plugins are up to date.
Security Weaknesses in Email Programs
Recommended Email Software
Outlook & Outlook Express Are Problematic
There are security issues with all email programs but this is most pronounced in Outlook and Outlook Express because Microsoft products are so tightly tied together.
Outlook Express Obsolete
No Native Email Program for Windows 7
Outlook — It Depends
The vulnerability of Outlook depends upon the version. Earlier version suffer from the same weaknesses as the Internet Explorer family.
Starting with Office 2007, Outlook went back to using MS Word for HTML rendering (what allows for bold, italics and coloured text) to address this issue.
However, the interlinking of Microsoft products continues to be a security concern as a weakness in any one component affects them all — including Windows itself.
If you choose webmail, be sure to use unique secure passwords.
- Webmail accounts are accessible to anyone.
- The sorts of questions used for recovery of lost passwords are often posted by their users on Facebook and other social media sites without the owner realizing the risks.
- Write your own security (recovery) question, if possible.
Reducing Your Risk If Using Outlook
Ensure Outlook is Being Updated
If you continue to use Outlook (especially for the PIM features) you should reduce your risk by ensuring you're running a version that is currently supported by Microsoft with updates and patches.
- Keep your computer updated by using Microsoft Update.
- Support availability for Office 2003 and Office 2000 indicates that Office 2000 support has ended and Office 2003 extended support ends April 8, 2014.
- The Office family product support lifecycle FAQ indicates when each version of Office (and therefore Outlook) loses support from Microsoft.
Disable Windows Scripting Host
Windows Scripting Host enables Outlook to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for them. You can safely disable Windows Scripting Host.
More About Related Issues
Protecting Your Online Identity
The following related pages offer more information about protecting your online identity:
- Encryption — Protecting Your Data
- Passwords — Protecting Your Electronic Signature
- Avoiding Spam — Unsolicited Emails and Mailing Lists
- Phishing & Identity Theft — Obtaining Information by Deceit
- Proper Email Address Etiquette — Using To:, CC: & BCC: Correctly
Securing Your Computer
The following related pages offer more information about securing your computer:
- Security Basics — Preventing Unauthorized Access
- Security Strategies — Avoiding Infections
- Firewalls — Your First Line of Defense
- ZoneAlarm Security — Recommended Firewall Products
- Anti-Virus Protection — Current Alerts, Strategies, Hoaxes & Software
- Your Privacy At Risk — Spyware Detection & Removal
- Encryption — Protecting Your Data
- Passwords — Protecting Your Electronic Signature
- Windows Security — Vulnerabilities in Windows
Updated: January 15, 2014