Updated Browsers Still Vulnerable to Attack if Plugins Are Outdated

Psst. Is your browser up-to-date? You may think you are safe because you update the Web browser regularly, but chances are you are still surfing the Web with highly vulnerable software.

Roughly half of Web users are using Web browsers that are vulnerable to known security flaws, said Wolfgang Kandek, CTO of Qualys. The company collected browser data from over a million "typical end-user computers" and found that more than half of the tested machines had critical vulnerabilities that would allow attackers to take remote control of the system, search the disk drive for valuable data, monitor all keystrokes, and intercept private information, Kandek said.

Security experts regularly remind users to update Web browsers as soon as new patches are available. Attackers are more likely to target vulnerabilities that should have been patched a year or two ago, rather than bothering with zero-days.  Several popular exploit kits, such as BlackHole, are still successfully  targeting vulnerabilities which users should have already closed. For example, a remote execution flaw Oracle patched in Java just last month is still under attack by BlackHole.

"Users of all major browsers have the same problem: They are using outdated software that contains known vulnerabilities," Kandek said.

While the extent of the problem varies across browsers, it is still pervasive. Even Apple Safari, which Kandek called the "best browser," has over 35 percent of its users at risk, Kandek said.

Why Am I Open to Attack?
Kandek is not suggesting that browser makers aren't closing the flaws. In fact, he noted that rolling out automatic update mechanisms for the major browsers have "improved the situation tremendously" as users no longer had to remember to update the software. He acknowledged that it often is not the browser's fault the vulnerabilities are left open, but rather the plugins.

Plugins give the browser additional capabilities, such as running applications, watching video, listening to music, and playing games. They are also frequently the target of attacks. Qualys found that 82 percent of the machines it tested had Java installed, and over a third were running out of date versions. Adobe Flash was the second most popular plugin, installed on over 67 percent of the machines tested, with about a quarter running vulnerable versions.

"We have to blame the installed plug-ins that contain flaws and remain unpatched," Kandek said.

Update All Installed Browsers, Plugins
Kaspersky Lab researchers found similar numbers in this month's "Global Web Browser Usage and Security Trends" report. While nearly 80 percent of users in the Kaspersky Security Network had the latest version of a browser, the researchers acknowledged the possibility that "quite a lot of users" had their default browser up-to-date, but also had outdated versions of other browsers also installed on the same machine, "keeping a security hole open for attacks."

About 17 percent of users were using older browsers, which were not the latest version but still being patched regularly, and 8.5 percent had "obsolete" versions, according to Kaspersky Lab. While that may not sound like a lot, that number "represents millions of users," the report said. Not upgrading browsers means those users are also less likely to update plugins such as Adobe Flash or Java, Kaspersky Lab found.

What To Do Next?
"All of these vulnerabilities can be eliminated by updating to the latest versions of the software installed, both for browsers and plug-ins," Kandek recommended.

Users need to update their browsers and all the plugins and browser extensions on a regular basis.

"It is always not the best time to close all apps, save all documents and wait a while until the updates are installed. But it has to be done," Kaspersky Lab said in the report.

For more from Fahmida, follow her on Twitter @zdFYRashid.