Group of researchers from three organizations including Google, IBM ISS and CSG ETH Zurich just published a paper titled: “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the insecurity iceberg”.
In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site.
The analysis presented in this paper is based on the large global user base of Google’s Web search and application sites. By measuring the lower bounds of insecure Web browsers used to daily surf the Internet, we provide new insights into the global vulnerable Web browser problem. To capture the extent of this security problem, we introduce the notion of the “Insecurity Iceberg” (see Figure 1) and estimate the number of users worldwide relying on a Web browser version different from the latest most secure version or vulnerable plug-ins, which could result in a host compromise.
Following this detailed analysis, we identify and discuss a number of current and future protection technologies that can help mitigate the escalating threat to vulnerableWeb browsers.
The paper can be read over at TechZoom.