Navigating the Complex Landscape of Web Browser Security

COMMENTARY

With an increasing reliance on the cloud, Web browsers are mission-critical applications for organizations. This not only means that people and organizations are using browsers more frequently and intensively than before, but also that more critical systems and data are accessed through browsers. All of this puts Web browser security at the forefront of organizational cybersecurity concerns. Despite well-known IT security practices, browsers remain one of the most problematic application categories in terms of vulnerability management. Let's explore why.

How Many Browsers Do Your Employees Really Use?

While most employees use a primary browser for their day-to-day activities, developers, testers, and other IT staff often use multiple browsers for different tasks. On average, nontechnical employees might use one to two browsers, while those in technical roles might use two to four browsers or even more, including Chrome, Safari, Firefox, Edge, and Opera. Ensuring consistent security across multiple browsers is challenging, especially as some employees might even use their personal browser installations in addition to the company-approved ones.

For example, developers often need multiple browsers to ensure cross-browser compatibility and test how Web applications behave in different environments. Some employees may simply feel more comfortable using browsers they are familiar with, even if they are not officially supported by IT. These traits in Web browser usage further complicate the security efforts for the organization's IT security team and increase the attack surface.

Multiple Dangerous Vulnerabilities

Vulnerabilities in Web browsers are discovered regularly, putting organizations' systems and data at risk if left unaddressed. For instance, in May 2024, Chrome released updates to address four zero-day vulnerabilities (CVE-2024-4671, CVE-2024-4761, CVE-2024-4947, and CVE-2024-5274), each of which allowed a remote attacker to execute arbitrary code.

Web browsers are even prone to zero-click exploits. For example, the CVE-2023-41064 and CVE-2023-41061 vulnerabilities in Apple's iMessage allowed remote code execution without any user interaction. Known as the Blastpass exploit chain, it compromised iPhones running the latest version of iOS (16.6) without any interaction from the victim.

Would It Make Sense to Choose a Web Browser With Fewer Vulnerabilities?

While it may be tempting to consider switching browsers, it's important to understand that no software is free of vulnerabilities. Moreover, it's not just the number of vulnerabilities that matters — rather, it's how the vendor handles its vulnerability management program overall.

According to the Action1 "Software Vulnerability Ratings Report 2024," Chrome had the highest number of vulnerabilities reported from 2021 to 2023 (1,006), compared to Firefox (471) and Edge (178). Despite this, remote code executions (RCEs) were 1% for both Chrome and Firefox, but 10% for Edge. Edge also had a 7% exploitation rate in 2023, up from 5% in 2022. This suggests that Microsoft does not yet enforce a vulnerability management program for Edge as rigorously as Google does for Chrome or Mozilla does for Firefox. This example illustrates that, instead of switching to a browser with fewer vulnerabilities, it is more effective to focus on robust patch management and security practices.

At the same time, managing updates across multiple Web browsers is challenging. Updates can sometimes break compatibility with legacy Web applications or internal tools, causing operational disruptions. Additionally, Web browsers like Chrome and Firefox issue frequent updates, making it difficult for IT departments to keep up. Automated tools can push updates to all machines, and having a rapid testing protocol ensures that critical systems and workflows are not disrupted by new updates. However, employees may resist restrictive policies, mandatory updates, or extension limitations, viewing them as productivity hindrances. That's why employee education is a must.

Additional Pitfalls of Web Browser Security: Unapproved Extensions

In addition to vulnerabilities in the Web browser code itself, extensions aimed at enhancing browsing experiences can introduce significant security risks. Allowing employees to install random or unauthorized extensions increases risks. Malicious extensions can introduce malware, capture sensitive data, and degrade browser performance. For example, the Great Suspender extension was found to contain malware and removed from the Chrome Web Store in 2021. Extensions posing as ad blockers have also been found to steal user data or inject ads, compromising privacy and security.

To combat this, many organizations maintain an "allowed list" of approved extensions. Only extensions vetted for security and compliance are allowed, managed through group policies in Windows, managed preferences in macOS, or endpoint protection software. Regular security awareness training educates employees about the risks associated with installing unauthorized extensions and the importance of sticking to approved ones.

Conclusion

While Web browser security is a complex and ongoing challenge, organizations can mitigate risks through robust patch management, consistent security policies, user education, and the use of automated tools to ensure timely updates and secure configurations. Balancing security needs with user productivity is key to maintaining a secure and efficient workplace.