Browser Security News

Has the browser become a scapegoat for Web-based bugs?

Web-based vulnerabilities and attacks are on the rise. And sure, there are plenty of browser bugs (think Metasploit’s Month of Browser Bugs, among other things). But there’s a subtle distinction often lost amid the panic, publicity and patching: many browser-related vulnerabilities aren’t actually inherent in the browser. In many cases, a vulnerability occurs because of the way the browser interacts with other applications and the operating system.

Take Internet Explorer 7’s very first bug, which was reported by Secunia within hours of Microsoft releasing the long-awaited browser: Microsoft said the vulnerability wasn’t technically with IE7, but with Outlook Express. IE7 was merely used as an attack vector, according to Microsoft.
The mhtml: issue vulnerability reported in IE6 and IE7 gives the attacker access to any Web page you access with your browser once you’ve visited a site he controls. Dark Reading - Desktop Security - Don’t Blame the Browser - Security News Analysis