Infected via Browser vulns/bugs ?

Discussion in 'other security issues & news' started by CloneRanger, May 5, 2012.

Thread Status:
Not open for further replies.
  1. CloneRanger
    Offline

    CloneRanger Registered Member

    We keep getting advised to update our browsers to the latest versions, & numerous vulns/bugs have been discovered for all of them over the years. But have you ever, or know anybody, or heard of, even one person who has been infected due to any of them ?

    In over 8 years of surfing to hundreds of malware infected www's, it's never happened to me once !

    By the way, i am NOT talking about Java/PDF/ActiveX/Scripting etc etc exploits. Only via browser vulns/bugs.
  2. Hungry Man
    Online

    Hungry Man Registered Member

    Browsers are pretty much at the forefront of security, all of them patch pretty quickly and they have such a low market share compared to plugins that they don't often get attacked.

    Back in IE5/6 days when it had a large amount of market share and terrible security it was attacked all the time.

    They're much harder to attack (due to quick patching and making use of DEP/ASLR) than their plugins.
  3. tomazyk
    Offline

    tomazyk Guest

    Not to my knowledge. I have never came accross infection that would use browser exploit as an attack vector. Usually users "install" malware themselves :) Still I belive updating browsers is a must.
  4. Cudni
    Offline

    Cudni Global Moderator

    It would depend, I think, on how deep somebody is immersed in dealing with malware and analysing it. To a casual fighter it boils down to: there is malware, remove it; block it so in future; good luck; next....
  5. CloneRanger
    Offline

    CloneRanger Registered Member

    Thanks for the replies :thumb:

    I find it both interesting & surprising, that trying to discover if any such vectors have Actually resulted in anyone, or lots of people, getting infected, has so far proved fruitless. And i don't mean just with this thread, but over the years i don't recall hearing/reading about Any ! Plenty of alerts & advisories etc, but no actual events.

    Obviously if people have patched, and/or they have other measures etc in place that would prevent infections via Vulns/Bugs, then they were/are safe. But what about ALL the others who didn't patch in time, or at all, and still didn't get infected, from what we know so far anyway. Maybe they didn't visit infected www's, or ?

    I used to selectively patch crital etc updates via Technet, but after several XP/SP2 reinstalls & having good security in place, i proved trying to get infected numerous times i was failing. So i decided patching was superfluous to protecting my PC. And so it has continued to be after a number of years.

    So even with Internet Explorer v6 with NO updates, & FF v3.6.14 the same, i have been able to cruise to ANY infected www with NO problems, in all this time. The only tricks etc i have seen,are the typical Java/Scripting/PDF/Redirects exploits/prompts etc to try & download some .exe .dll etc. Not once have i experienced a browser vulnerability that highjacked, or even attempted to highjack, it/them.

    It "appears" to me that such things are actually quite rare, though not impossible.
  6. Ranget
    Offline

    Ranget Registered Member

    Well once not a long time ago i was using a Browser with no FP or Java at all
    just noscript

    updated to the latest version and GOt hacked if it's not a Browser exploit i'm going to go crazy
  7. Hungry Man
    Online

    Hungry Man Registered Member

    Browsers make it really clear to patch vulnerabilities. Chrome silently updates, Firefox has always notified of updates, IE updates through Windows.

    Even if they weren't great at patching they:
    1) All share the market. Attacking IE gets you only half of the market, Chrome and FF even less. Attacking Flash gets you 98% of the market.
    2) They are at the forefront of mitigation techniques.
  8. BrandiCandi
    Offline

    BrandiCandi Guest

    Just because you can't tell it happened doesn't mean it didn't happen.

    http://itsecurity.vermont.gov/threats/web_attacks

    Symptoms of browser exploit (from this):
    or there may be no symptoms at all, except maybe some extra network traffic if you're watching for that (from here):
    So to conclude that no one has gotten infected because no one has ever known that they got infected is totally wrong,
  9. BrandiCandi
    Offline

    BrandiCandi Guest

    The question I have is "How likely is it that my browser will be exploited?"

    Here's what I've found:

    This dated March 2012:
    I'm looking for some actual statistics about browser exploits recently. The most recent source I could find dated from 2008:
    I'd like to find a more recent study so we can understand what the likelihood of a browser attack would be for the average user today. If anyone finds any I'd love to see it.
  10. Hungry Man
    Online

    Hungry Man Registered Member

    I think they're putting Browser Plugins in with the "browser exploits" statistic.

    I also think OS exploits have likely gone down as we've moved past XP.
  11. Baserk
    Offline

    Baserk Registered Member

    ^true. As both articles mention, it's mostly about keeping the browser+plugins up to date.
    'Another type of vulnerability that is commonly exploited is the targeting of browsers and their plugins (Flash, Java etc.)...The most common infection methods detected by S21sec include browser exploits (65%)...' link
    It would help if Oracle can find it in it's heart to auto-update java like Flash now, then the whole browser package could auto update, current/coming browser sandboxing will lower the percentage even more.
  12. CloneRanger
    Offline

    CloneRanger Registered Member

    @ Ranget :eek:

    @ BrandiCandi

    I never said it hadn't happened, or couldn't happen, just that i had Never experienced ANY, even after years of trying all manner of www's that had been compromised in some way/s.

    Thanks for the links etc :thumb:

    @ Hungry Man & Baserk

    Yeah, my focus for this thread is NOT on Plugins etc, only browser exploits ;)
  13. Hungry Man
    Online

    Hungry Man Registered Member

    Naturally. If you had run into any you likely would have been further up to date though if I recall that's not your thing so perhaps some antiexecutable or NoScript type deal would have blocked it.

    And, of course, with such easy targets as Java, Flash, Reader, there's not much reason to go for browser exploits, which are much harder to come by and patched very quickly.
  14. xxJackxx
    Online

    xxJackxx Registered Member

    Absolutely. The only issue I even had with a browser was 6 years ago. Windows XP, IE6, NOD32. Was searching google, clicked on a link in the results, IE closed, NOD32 closed, IE opens back up with an extra toolbar and a Vundo infection. :doubt:
Thread Status:
Not open for further replies.