internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
internet security tHreAt rePOrt GOVernMent 2013
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
p. 146<br />
Symantec Corporation<br />
Internet Security Threat Report <strong>2013</strong> :: Volume 18<br />
VULNERABILITy TRENDS<br />
Web Browser Plug-in Vulnerabilities<br />
Background<br />
This metric examines the number of vulnerabilities affecting<br />
plug-ins for Web browsers. Browser plug-ins are technologies<br />
that run inside the Web browser and extend its features, such<br />
as allowing additional multimedia content from Web pages<br />
to be rendered. Although this is often run inside the browser,<br />
some vendors have started to use sandbox containers to execute<br />
plug-ins in order to limit the potential harm of vulnerabilities.<br />
Unfortunately, Web browser plug-ins continue to be one of<br />
the most exploited vectors for Web-based attacks and drive-by<br />
downloads silently infecting consumer and enterprise users.<br />
Many browsers now include various plug-ins in their default<br />
installation and provide a framework to ease the installation<br />
of additional plug-ins. Plug-ins now provide much of the<br />
expected or desired functionality of Web browsers and are often<br />
required in order to use many commercial sites. Vulnerabilities<br />
affecting these plug-ins are an increasingly favored vector for<br />
a range of client-side attacks, and the exploits targeting these<br />
vulnerabilities are commonly included in attack kits. Web attack<br />
kits can exploit up to 25 different browser and browser plug-in<br />
vulnerabilities at one time and then have full access to download<br />
any malware to the endpoint system.<br />
Some plug-in technologies include automatic update<br />
mechanisms that aid in keeping software up to date, which may<br />
aid in limiting exposure to certain vulnerabilities. Enterprises<br />
that choose to disable these updating mechanisms, or continue<br />
to use vulnerable versions, will continue to put their enterprises<br />
at considerable risk to silent infection and exploitation. With<br />
the hundreds of millions of drive-by download attacks that<br />
Symantec identified in 2011, Web attacks continue to be a<br />
favorite infection vector for hackers and malware authors to<br />
breach enterprises and consumer systems. To help mitigate<br />
the risk, some browsers have started to check for the version of<br />
installed third-party plug-ins and inform the user if there are<br />
any updates available for install. Enterprises should also check<br />
if every browser plug-in is needed and consider removing or<br />
disabling potentially vulnerable software.<br />
Methodology<br />
Web browser plug-in vulnerabilities comprise a sub-set of<br />
the total number of vulnerabilities cataloged by Symantec<br />
over the reporting period. The vulnerabilities in this section<br />
cover the entire range of possible severity ratings and include<br />
vulnerabilities that are both unconfirmed and confirmed by the<br />
vendor of the affected product. Confirmed vulnerabilities consist<br />
of <strong>security</strong> issues that the vendor has publicly acknowledged,<br />
by either releasing an advisory or otherwise making a public<br />
statement to concur that the vulnerability exists. Unconfirmed<br />
vulnerabilities are vulnerabilities that are reported by third<br />
parties, usually <strong>security</strong> researchers, which have not been<br />
publicly confirmed by the vendor. That a vulnerability is<br />
unconfirmed does not mean that the vulnerability report is<br />
not legitimate, only that the vendor has not released a public<br />
statement to confirm the existence of the vulnerability.