February 2012 – Securing Your Web BrowserPosted on Feb 28, 2012 in Cyber Security Newsletters
Securing Your Web Browser
What is a web browser?
The web browser is a software application that allows you to view and interact with content on a webpage, such as text, graphics or other material. Internet Explorer, Firefox and Safari are some of the most commonly used browsers. Plug-ins, also known as add-ons, are applications that extend the functionality of browsers. Some of the plug-ins you may be familiar with include Flash Player, Java, Media Player, QuickTime Player, Shockwave Player, RealOne Player and Acrobat Reader. Certain plug-ins may be required to view content depending on how a web page is designed.
Web browsers—and related plug-ins—are primary tools for interacting with the Internet, making them prime targets for cyber attacks. It is important to understand the risks and know what steps you can take to help minimize the likelihood of a successful attack.
Keep in mind that mobile devices also utilize web browsers. As the use of mobile devices increases, these devices may also become targets of browser-based attacks.
How can your web browser be attacked?
Without the appropriate security patches applied, web browsers are as vulnerable to attack or exploit as other software. A fully patched web browser can still be vulnerable to attack or exploit if the browser plug-ins are not updated. It’s important to remember that plug-ins are not automatically updated when the browser is patched.
Cyber attackers are constantly searching for and finding programming errors and other flaws in web browsers and associated plug-ins. These vulnerabilities can be exploited, giving cyber criminals access to—and sometimes control over—your computer system.
Browser-based attacks can also originate from websites due to poor security coding of web applications or vulnerabilities in the software that supports websites. Attackers have been successful in compromising large numbers of trusted websites to deliver malicious applications to unsuspecting visitors. Attackers are then able to add scripts to a compromised website so that the website’s appearance does not change. These scripts may “silently” redirect you to another website without you even knowing about it. This redirection to another website may cause malicious programs to be downloaded to your computer. These programs are often designed to allow remote control of your computer by the attacker and to capture personal and confidential information such as credit card numbers, banking information and other data used for identify theft.
What can you do to protect against web browser attacks?
Below are a number of key steps you can take. Your information technology department and security office may have these implemented in your organization’s environment, but we encourage you to also apply these steps to your home computers/devices. This is especially critical if employees access their work network from their home computer:
• Keep your browser(s) updated and patched, and set to auto update.
• Keep your operating system updated and patched.
• Use anti-virus and anti-spyware software and keep them updated.
• Install a firewall and keep it updated and patched.
• Keep your applications (programs) updated and patched, particularly if they work with your browser (such as multi-media programs and plug-ins used to enable running of videos, for example).
• Block pop-up windows, as this may help prevent malicious software from being downloaded to your computer. (Note that the process for blocking varies depending on the browser you are using. Please refer to the links below for specific details.)
To learn more about web browser attacks, visit:
US-CERT Security Tip:
Carnegie Mellon CERT: Securing Your Web Browser:
McAfee — Web Browsers: An Emerging Platform Under Attack:
To learn more about web browser security settings, please visit:
Qualys Browser Check:
Firefox – Check Your Plug-In:
Firefox Browser Security:
Google Chrome and Browser Security:
Internet Explorer 9 Security Settings:
Safari Security and Privacy: