Never underestimate Chipzilla's ability to execute - Gilbert Ann Sullivan
|
|
|
Browser plug-ins, social networks, HTML iframes top Q3 security threats
WEB BROWSER plug-ins and extensions, social networking web sites, HTML iframes, blackhat SEO and phishing attacks are some of the most dominant security threats encountered in the third quarter of this year, according to the latest State of the Web report by Zscaler Threatlabz.
Internet Explorer (IE) remains the most used web browser at 58 per cent, with the vast majority of people still using old versions of the Microsoft software. Only 1.68 per cent of people use IE 9.x, 28.23 per cent use IE 8.x, 22.02 per cent use IE 7.x, and 4.21 per cent still use the significantly outdated and vulnerable IE 6.x.
Modern web browsers have their own threats, however, with the ever useful plug-ins and extensions presenting particularly big risks. Adobe Flash is the most used browser plug-in, followed by Windows Media Player, Adobe Reader, Outlook and .NET.
The problem with these is that, as with the web browsers themselves, people tend not to update them, and older plugins and extensions usually have some big security vulnerabilities. Threatlabz found that Adobe Shockwave was the most outdated plugin in the third quarter, followed by Java and Adobe Reader, all of which have known security risks if not updated.
According to Threatlabz' research most people aren't even aware of what plug-ins they have installed, and knowledge and awareness is a key part of online security.
Regardless of what web browser or plug-ins you are using, chances are you will have some access to a social networking web site, be it Facebook, Twitter or Google+. Threatlabz found that these web sites make up the vast majority of web applications and place users in extreme vulnerability to click-jacking and phishing attacks.
Malicious HTML iframes came in first in the top 10 families of malware detected by antivirus programs. Javascript redirectors were second, followed by fake malware detection, malicious Flash code, online games malware, PDF Javascript threats, Javascript iframes, spyware toolbars, W32 trojans, and finally Javascript shellcode.
Blackhat search engine optimisation is also high on the list of tactics used by cyber criminals to artificially boost their web site traffic, which can help infect more computers and bring in more ill-gotten funds. Malware-infected search results were down compared to the second quarter, but there were more fake or hijacked web sites, particularly using the .edu domain extension. µ
Tags: Security
Share this:
Share
I won't vouch for any other browsers, but IE can be Java-proofed, locally or centrally, by a compotent Admin.
1) Hit your Local Group Policy Computer Configuration Windows Components Internet Explorer Internet Control Panel Security.
2) In each Zone desired, set "Java permissions" to "Disable Java."
Now anyone visiting a Java-laced website will simply be told "An add-on for this website failed to run," whether it's installed or not.
@mechBgon:
Regarding Java, all "modern" browsers will nag you to install it anyway and from security research we have already learned that people will do anything if you:
a) ask politely
b) nag them long enough
I'm pretty sure these stats are closer to reality on the IE version split:
http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2&qpcustomd=0
That jives with my site's stats, which put IE9 at about 10% of the total visitors.
Regarding the main topic, out-of-date add-ons and extensions are a serious problem, as are entirely unnecessary ones. How many people actually need Java for anything? and yet they have it "just because". The computer came with it, we'd better not remove it or we might break something, etc etc. CSIS estimates 37% of the public have an out-of-date Java installation. Yikes.