Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Here's a curiousity that's developing in modern browser security The security of a given browser is dominated by how much effort it puts into other peoples' problems. This may sound absurd at first but we're heading towards a world where the main browsers will have with a few notable exceptions Rapid autoupdate to fix security issues. Some form of sandboxing. A long history of fuzzing and security research. These factors, combined with an ever more balanced distribution of browser usage, are making it uneconomical for mass malware to go after the browsers themselves. Enter plug-ins Plug-ins are an attractive target because some of them have drastically more market share than even the most popular browser. And a lot of plug-ins haven't received the same security attention that browsers have over the past years. The traditional view in security is to look after your own house and let others look after theirs. But is this conscionable in a world where -- as a browser vendor -- you have the power to defend users from other peoples' bugs As a robust illustrative point, a lot of security professionals recently noticed some interesting exploit kit data, showing a big difference in exploitation success between Chrome 0pourcents and IE Firefox 15pourcents . The particular exploits successfully targeted are largely old, fixed plug-in bugs in Java, Flash and Reader. So why the big difference between browsers The answer is largely the investment Chrome's security team has made in defending against other peoples' problems, with initiatives such as Blocking out-of-date plug-ins by default and encouraging the user to update. Blocking lesser-used plug-ins such as Java, RealPlayer, Shockwave etc . by default. Having the Flash plug-in bundled such that it is autoupdated using Chrome's fast autoupdate strategy this is why Chrome probably has the best Flash security story . The inclusion of a lightweight and reasonably sandboxed default PDF viewer not all sandboxes are created equal The Open Type Sanitizer, which defends against a subset of Windows kernel bugs and Freetype bugs. Chrome often autoupdates OTS faster than e.g. Microsoft Apple Linux vendors fix the underlying bug. Certificate public key pinning. This new technology defends against the generally gnarly SSL Certificate Authority problem, and caught a serious CA compromise being abused in Iran last year. In conclusion, some of the biggest browser security wins over the past couple of years have come from browser vendors defending against other peoples' problems. So I repeat the hypothesis The security of a given browser is dominated by how much effort it puts into other peoples' problems Funny world we live in.

Les mots clés de la revue de presse pour cet article : browser security
Les videos sur SecuObs pour les mots clés : browser security
Les mots clés pour les articles publiés sur SecuObs : security
Les éléments de la revue Twitter pour les mots clé : browser security





Les derniers articles du site "Security" :

- Using ASAN as a protection
- Execute without read
- Together, we can make a difference
- Internet Bug Bounty issues its first 10,000 reward
- vtable protections fast and thorough
- Exploiting 64-bit Linux like a boss
- Exile for the BBC Micro some elegant solutions
- Using ASAN as a protection
- Execute without read
- Together, we can make a difference
- Internet Bug Bounty issues its first 10,000 reward
- vtable protections fast and thorough
- Exploiting 64-bit Linux like a boss

---

S'abonner au fil RSS global de la revue de presse

---