Microsoft Internet Explorer Dips Below 70% Market Share
I ran across article by Net Applications that shows their recent browser tracking data. According to their stats, Microsoft Internet Explorer (MSIE) browser has finally dropped below 70% of the overall browser market share, and Firefox has risen above 20%.
Overall, this is nice for Firefox and alternative browsers, but it does have both positive and negative security implications. For a period of time, it felt like the world wide web was a homogenous environment of MSIE browsers everywhere (and before that, it was Netscape browsers). Now we're finally at a point where the numbers may start supporting the notion that we have a true heterogeneous environment blossoming. Heterogeneous environments, whether it be a computer network or a biological system, are often much more robust and stable than a homogeneous environment simply because a homogeneous environment is susceptible to a single incident (such as an eruption of a pathogen, or a browser exploit in our case) wiping out the entire environment in one fell swoop. So the growth of browser alternatives is actually good for web browser security overall, because it means not all systems will be p0wn3d by the next devastating MSIE vulnerability.
There is also a downside of this too. With the rise of active use of alternative browsers, there is now enough incentive for attackers to take the time to attack/exploit the alternatives. We kind of already knew this, and it was largely already happening in the real world, but the numbers help to support the idea. Simply put: if no one is using a browser, there isn’t much blackhat value in finding a vulnerability in it to exploit...you’d essentially have a specialized weapon with a lack of targets to use it upon. But once there is a moderate/sizable population of those targets, the effectiveness of that specialized weapon (i.e. exploit) increases. We’ve seen this before with the Apple Mac platform: many people claimed it was more secure than Windows because it had fewer publicized security vulnerabilities. There's even the claim that Macs don't need anti-virus software because there are no viruses for Macs. Of course, Mac popularity grew, the number of deployed systems rose, and that caused the attackers to take notice. Now we have active research and exploitation of OSX and its components, and a host of malware specific to the Mac platform (for the skeptical: OSX.Leap.A, OSX.Exploit.Launchd, OSX.Macarena, OSX.Inqtana.A, etc.)
Overall this is the right direction for things to be heading. However, those trying to fly under the blackhats' web exploitation radars by using an alternative/obscure browser may find their days of obfuscated safety are numbered. As soon as the obscure browser you are using jumps into the limelight, attackers are sure to pounce on it eventually as well.
Side note: I've encountered many individuals that have employed this 'security through obscure browser' tactic. The issue is that they were using browsers like Maxthon, NeoPlanet, Avant, etc. What they didn't realize is that all of these browsers were just different UI shells on top of the MSIE web layout engine (called 'Trident'). In other words, they often just as vulnerable as if they were directly running MSIE—there was no security advantage gained. Overall there currently four major web browser 'engines': Trident (MSIE), Gecko (Firefox), WebKit (Safari), and Presto (Opera). Most browsers on the market today use one of those engines (or a derivative), and that means any vulnerability that affects the engine will affect any browser built upon it. So you might hear of a vulnerability in Firefox, but the bug could truly be in the Gecko engine and thus other browsers like Flock, Camino, Epiphany, Galeon, SeaMonkey, and Songbird (all Gecko-based) could be vulnerable as well. Therefore if you are looking to differentiate yourself by using an obscure browser for security purposes, you should do some research to ensure the browser you are running is not running the same (vulnerable) web engine as the more popular browsers.
Until next time,