Hot and bothered over browser patches

Online Trust Alliance and a host of companies are pushing websites to notify people when they're using an outdated browser, but businesses need to do more

The browser has become the unlatched door through which attackers break in and compromise computers. The starting point for securing that portal is to ensure the browser is up-to-date, yet more than 40 percent of browsers used to visit major websites have not been updated to eliminate the latest security flaws.

In the business world, there's a complication: Often legacy browsers are required to run or connect to critical applications. How else to explain the unyielding market share of the easy-to-compromise Internet Explorer 6? Nearly 10 percent of users are browsing external websites using IE6, another 6 percent running IE 7, and 7 percent running the out-of-date Firefox 3.6, according to Web metrics site NetMarketShare.

"Clearly, businesses need to move off of IE 6 and IE7," says Craig Spiezle, president and executive director of the Online Trust Alliance (OTA). "And they need to move off as quickly as possible, because the browser is the first line of defense."

Last week the OTA announced its Why Your Browser Matters campaign, an effort to create a minimum bar for security online. Visitors to participating websites, such as PayPal and Microsoft, will be warned if their browsers are out of date. By educating users as they browse, Spiezle hopes to dramatically reduce the number of people using older browsers.

But the effort is aimed at consumers, not companies. Warning employees that they should upgrade won't help when many firms insist on using older browsers for backward compatibility -- or delay their deployment because testing patches for compatibility takes so long.

"This huge willingness in enterprise environments, even more so than in consumer environments, to run out-of-date operating systems and software ... puts the enterprise at risk," says Rik Ferguson, director of security research for Trend Micro's Europe, Middle East, and Africa business. "What you should be looking at is some other way of mitigating the threats while you are unable to patch."

The point is further sharpened because many attacks exploit flaws in browser plugins, not just the browser itself. Trend Micro's recent report on the Lurid botnet, for example, found that the software exploited a two-year-old flaw in the Adobe Acrobat Reader plug-in, not the browsers themselves.

"Many attacks come through the browser, but it is not just because the browser it is out of date, it is because the plug-ins are out of date," Ferguson says.

The lesson is that companies should patch, but not stop there. Monitoring network traffic for attacks, placing intrusion detection on the client, and running the browser inside of a virtual machine can present attackers with much higher hurdles to compromising a would-be victim's machine.

This article, "Hot and bothered over browser patches," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.