[ISN] Browser security holes surging in 2006

From: InfoSec News (alerts@private)
Date: Mon Sep 25 2006 - 23:50:33 PDT


http://www.techworld.com/security/news/index.cfm?newsID=6955

By Robert McMillan
IDG News Service
25 September 2006

The number of security holes in Web browser has jumped this year, 
according to Symantec.

The security company's twice-yearly Internet Security Threat Report, 
found that 47 bugs in Firefox and 38 bugs in Internet Explorer had been 
discovered in the first six months of this year - up significantly from 
the 17 and 25 bugs found respectively in the previous six months.

Even Apple's Safari browser saw its bugs double, from six in the last 
half of 2005 to 12 in the first half of 2006. Opera was the only browser 
tracked by Symantec that saw the number of vulnerabilities decline, but 
not by much. Its bugs dropped from nine to seven during the period.

And while Internet Explorer remained the most popular choice of 
attackers, no one is invulnerable. According to the report, 31 percent 
of attacks during the period targeted more than one browser, and 20 
percent took aim at Mozilla's Firefox.

"There is no safe browser," said Vincent Weafer, senior director with 
Symantec Security Response. "If you've got a browser, make sure you're 
configuring it correctly," he added. "That's a far better strategy than 
running some browser just because you haven't heard of it."

Part of the rise is due to the growing market for vulnerabilities, 
Weafer said. Legitimate companies such as 3Com's Tipping Point and 
Verisign's iDefense pay for this information, and there is also a 
growing black market for exploits. "People are encouraged and getting 
money for finding vulnerabilities, so now you have more people looking," 
said Weafer.

Browser bugs are also relatively easy to find and exploit, said Marc 
Maiffret, chief technology officer with eEye. "Everyone has realised 
that targeting the applications on the desktop is a better way to break 
into businesses and consumers and steal things than server flaws," he 
said. Businesses and consumers may both be targets, but home users are 
the victims in about 86 percent of all attacks, according to Symantec.

And the US is the biggest source of online attacks, thanks to its large 
number of compromised machines with broadband connections, Weafer said. 
About 37 percent of all online attacks originate in the US, he said.

While there may have been more bugs in Mozilla than in Explorer, 
Symantec gave the open source project high marks for its bug-fixing. On 
average, it patched bugs within one day of their public disclosure
- the fastest turn-around of all measured browsers. Opera came in 
second, averaging two days. Safari was next, with a five-day window, 
followed by Microsoft, which averaged nine days per patch.

Microsoft may lag as a browser patcher, but when it comes to operating 
systems, the company leads the pack, according to Symantec. The slowest? 
Sun.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Tue Sep 26 2006 - 00:01:15 PDT