This article is from US-CERT a very respected informational source:
Why Secure Your Browser
Today, web browsers such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari are installed on almost all computers. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.
Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Whether installed by a computer manufacturer, operating system maker, Internet service provider, or by a retail store, the first step in assessing the vulnerability of your computer is to find out what software is installed and how programs will interact with each other. Unfortunately, it is not practical for most people to perform this level of analysis.
There is an increasing threat from software attacks that take advantage of vulnerable web browsers. We have observed new software vulnerabilities being exploited and directed at web browsers through use of compromised or malicious websites. This problem is made worse by a number of factors, including the following:
- Many users have a tendency to click on links without considering the risks of their actions.
- Web page addresses can be disguised or take you to an unexpected site.
- Many web browsers are configured to provide increased functionality at the cost of decreased security.
- New security vulnerabilities are often discovered after the software is configured and packaged by the manufacturer.
- Computer systems and software packages may be bundled with additional software, which increases the number of vulnerabilities that may be attacked.
- Third-party software may not have a mechanism for receiving security updates.
- Many websites require that users enable certain features or install more software, putting the computer at additional risk.
- Many users do not know how to configure their web browsers securely.
- Many users are unwilling to enable or disable functionality as required to secure their web browser.
As a result, exploiting vulnerabilities in web browsers has become a popular way for attackers to compromise computer systems.
In addition to following this paper's recommendations, refer to the documentation in the
References section for other steps you can take to secure your system.
It is important to understand the functionality and features of the web browser you use. Enabling some web browser features may lower security. Vendors often enable features by default to improve the computing experience, but these features may end up increasing the risk to the computer.
Attackers focus on exploiting client-side systems (your computer) through various vulnerabilities. They use these vulnerabilities to take control of your computer, steal your information, destroy your files, and use your computer to attack other computers. A low-cost method attackers use is to exploit vulnerabilities in web browsers. An attacker can create a malicious web page that will install
Trojan software or spyware that will steal your information. Additional information about spyware is available in the following document:
http://www.cert.org/archive/pdf/spyware2005.pdf. Rather than actively targeting and attacking vulnerable systems, a malicious website can passively compromise systems as the site is visited. A malicious HTML document can also be emailed to victims. In these cases, the act of opening the email or attachment can compromise the system.
Cookies are files placed on your system to store data for specific websites. A cookie can contain any information that a website is designed to place in it. Cookies may contain information about the sites you visited, or may even contain credentials for accessing the site. Cookies are designed to be readable only by the website that created the cookie. Session cookies are cleared when the browser is closed, and persistent cookies will remain on the computer until the specified expiration date is reached.
Cookies can be used to uniquely identify visitors of a website, which some people consider a violation of privacy. If a website uses cookies for authentication, then an attacker may be able to acquire unauthorized access to that site by obtaining the cookie. Persistent cookies pose a higher risk than session cookies because they remain on the computer longer.
Some software features that provide functionality to a web browser, such as ActiveX, Java, Scripting (JavaScript, VBScript, etc.), may also introduce vulnerabilities to the computer system. These vulnerabilities may stem from poor implementation, poor design, or an insecure configuration. For these reasons, you should understand which browsers support which features and the risks they could introduce. Some web browsers permit you to fully disable the use of these technologies, while others may permit you to enable features on a per-site basis.
This section provides links that show you how to securely configure a few of the most popular web browsers and how to disable features that can cause vulnerabilities. We encourage you to visit the vendor's website for each browser you use to learn more. If a vendor does not provide documentation on how to secure the browser, we encourage you to contact the vendor and request more information.
Multiple web browsers may be installed on your computer. Other software applications on your computer, such as email clients or document viewers, may use a different browser than the one you normally use to access the web. Also, certain file types may be configured to open with a different web browser. Using one web browser to manually interact with websites does not mean other applications will automatically use the same browser. For this reason, it is important to securely configure each web browser that may be installed on your computer. One advantage to having multiple web browsers is that one browser can be used for only sensitive activities such as online banking, and the other can be used for general purpose web browsing. Using multiple browsers can minimize the chances that a vulnerability in a particular web browser, website, or related software can be used to compromise sensitive information.
Web browsers are frequently updated. Depending on the version of your software, the features and options may move or change.
More to come soon....
Joe Rossini