/
Critical Vulnerability in Browser Security Metrics Critical Vulnerability in Browser Security Metrics

Critical Vulnerability in Browser Security Metrics - PowerPoint Presentation

tatiana-dople
tatiana-dople . @tatiana-dople
Follow
349 views
Uploaded On 2019-03-18

Critical Vulnerability in Browser Security Metrics - PPT Presentation

Mustafa Acer Collin Jackson mustafaacersvcmuedu collinjacksonsvcmuedu May 20 2010 Web 20 Security amp Privacy 2010 Which Browser To Use Which browser is more secure ID: 757486

risk plug security browser plug risk browser security score amp metrics ins browsers scores vulnerability metric chrome users disclosure

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Critical Vulnerability in Browser Securi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Critical Vulnerability in Browser Security Metrics

Mustafa Acer, Collin Jacksonmustafa.acer@sv.cmu.edu, collin.jackson@sv.cmu.edu

May 20, 2010

Web 2.0 Security & Privacy 2010Slide2

Which Browser To Use?

Which browser is more secure? Use metrics to evaluate browser security.

But

, which metrics to use? Are they meaningful? Are they useful?

2Slide3

A widely used metric: Distribution

of the number of known vulnerabilities3Cenzic, Web application security trends report, Q3-Q4, 2009IBM Security Solutions,

X-Force 2009 trend and risk reportSymantec, Internet security threat report, 2010Slide4

A widely used metric: Distribution of the number of known vulnerabilities

It is meaningless and actively harmful.4Slide5

Problems with Current Metrics

Ignore Patch DeploymentQuickly deployed patches are not bad Discourage Disclosure

Vendors avoid releasing known bugs

Ignore Plug-insFlash

Player is installed in 99% of browsers. Only 20

%*

have latest versions.

5

*

Trusteer

, Flash security hole advisory, August 2009Slide6

A New Vulnerability Metric: Risk Score

The percentage of users who have at least one unpatched critical or high severity vulnerability on an average day6

Critical: Attackers can run arbitrary code on user’s systemHigh:

Attackers can access data belonging to other sites (e.g. circumventing cross origin policy)Slide7

Measurement

Collecting browser & plug-in version data from users via ad networks (6000 data points/day) Calculating risk score for browser & plug-in combinations

Firefox, Safari, Opera, Chrome

Flash Player, Silverlight, Google Gears

Live statistics at

browserstats.appspot.com

7Slide8

Vulnerability levels

of browsers according to old metrics and our proposal. Notice how Safari, Chrome and Opera scores change.8

A Comparison of Old & New MetricsSlide9

Advantages of

Using Risk Score Takes Account of Patch DeploymentFast updating browsers will receive better scores

Encourages Disclosure

Combining bugs into a single vulnerability doesn’t improve score

Includes Plug-ins

Browsers that help their users update their

plug-ins will receive

better scores

9Slide10

Average risk score of browsers with and without Adobe Flash

Player over a forty day span10Browser Risk Scores With & Without Plug-insSlide11

Chrome risk score jumps from 5% to 30%.

(30% of Chrome versions on the web are vulnerable)11Browser Risk Scores With & Without Plug-insSlide12

Conclusion

Current browser security metrics are harmful. They discourage disclosure, discourage frequent updating, ignore plug-ins.

We propose a new metric: Risk

Score. It encourages disclosure, frequent updating and browser

& plug-in vendors to work together.

Vendors need to choose between the following:

Do not disclose vulnerabilities and hope for them not to be

discovered.

Disclose them, patch them and encourage users to update

frequently.

12Slide13

13

Thank youbrowserstats.appspot.com