This is a mirror of official site: http://jasper-net.blogspot.com/

The dirty secret of browser security #1

| Monday, January 30, 2012
Here's a curiousity that's developing in modern browser security: The security of a given browser is dominated by how much effort it puts into other peoples' problems.

This may sound absurd at first but we're heading towards a world where the main browsers will have (with a few notable exceptions):

    Rapid autoupdate to fix security issues.

    Some form of sandboxing.

    A long history of fuzzing and security research.

These factors, combined with an ever more balanced distribution of browser usage, are making it uneconomical for mass malware to go after the browsers themselves.

Enter plug-ins

Plug-ins are an attractive target because some of them have drastically more market share than even the most popular browser. And a lot of plug-ins haven't received the same security attention that browsers have over the past years.

The traditional view in security is to look after your own house and let others look after theirs. But is this conscionable in a world where -- as a browser vendor -- you have the power to defend users from other peoples' bugs?

As a robust illustrative point, a lot of security professionals recently noticed some interesting exploit kit data, showing a big difference in exploitation success between Chrome (~0%) and IE / Firefox (~15%).


Read more: Security
QR: dirty-secret-of-browser-security-1.html

Posted via email from Jasper-net

0 comments: