• Stefan Frei, Thomas Duebendorfer, Gunter Ollmann, Martin May



  • August 10, 2008, DEFCON 16


In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts. Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site.

Attacks against Web browsers depend upon malicious content being rendered by the appropriate built-in interpreter (e.g., HTML, JavaScript, CSS, etc.) or vulnerable plug-in technology (e.g., Flash, QuickTime, Java, etc.). Vulnerabilities lying within these rendering technologies are then exposed to any exploit techniques or malicious code developed by the attacker. Vulnerability trend reports have indicated that remotely exploitable vulnerabilities have been increasing since the year 2000 and reached 89.4% of vulnerabilities reported in 2007. A growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers.

While several studies and reports have focused upon the scale of the mass-defacements and malicious content being served by compromised servers, none have provided quantitative ana- lysis of the most critical component in drive-by download attacks - the number of users likely to become victims of the attack due to the use of insecure Web browser technologies.

The analysis presented in this paper is based on the large global user base of Google’s Web search and application sites. By measuring the lower bounds of insecure Web browsers used to daily surf the Internet, we provide new insights into the global vulnerable Web browser problem. To capture the extent of this security problem, we introduce the notion of the "Insecurity Iceberg" and estimate the number of users worldwide relying on a Web browser version differ- ent from the latest most secure version or vulnerable plug-ins, which could result in a host compromise.

Following this detailed analysis, we identify and discuss a number of current and future protection technologies that can help mitigate the escalating threat to vulnerable Web browsers.