60% of breaches in 2019 involved unpatched software vulnerabilities.[i] With the pandemic, the problem of unpatched applications worsened as work from anywhere (WFA) became widespread. Patch management is a tedious security task that gets in the way of securing organizations. Automated patch management products require an agent on the endpoint, making it hard to determine whether the latest patches are applied to every system. And all patches aren’t free from gaps. Worse! Even after patching, zero-day vulnerabilities remain.
Among the most perilous applications are unpatched browsers that threat actors use to enter your system surreptitiously. But regularly patching and updating browsers gets complicated as users may not comply with corporate security measures when WFA.
Why hackers love unpatched browsers
The increase in cyberattacks on PC networks and routers since COVID-19 can be linked to unpatched browsers.[ii] Vulnerabilities in stale browser versions of Chrome, Edge, Safari, Opera, Firefox, and others remain the most common attack method used by threat actors. It only gets worse when users take it upon themselves to get their work done on an unmanaged machine. All they need is a browser, but it may be IE running on an outdated home machine that can’t be patched and is shared with others in their household. Forrester reports that application vulnerabilities will continue to be the most common external attack approach to carry out breaches and compromise systems.[iii]
Perfect patch management is a distant dream
Rampant shadow IT complicates the process of keeping browsers up-to-date. How do you patch a browser if you don’t know it’s installed or what patches are needed? [iv] With multiple browsers running on one machine, perfect patch management remains wishful thinking. When users have to use IE for legacy web applications but forget to switch to Chrome for other browsing, it increases risk since Microsoft has stopped patching IE. Or what if the user prefers Firefox but IT doesn’t support it?
Older versions of operating systems with built-in browsers (IE on Windows 98, XP, 7), especially in IoT environments, keep doors open for threats. This may be relatively safer within the corporate network but riskier in WFA environments where users may bypass corporate security measures, thus, paving the ground for attacks on known but unpatched vulnerabilities.
Remote browser isolation to secure unpatched browsers
While unpatched browsers are a security risk, patched ones may still have zero-days. Remote browser isolation (RBI) is effective not only against zero-days but against any web-based threat. Built using the Zero Trust approach, RBI fetches, executes, and renders all elements of a page away from the user’s device and effectively protects against ransomware, phishing, social-engineering attacks, and malvertising. RBI is critical to any organization’s cybersecurity program since almost all work performed today requires using the browser, according to a SANS report[JK1] .[v] Especially with WFA models and heavy reliance on the cloud, SANS also labels the browser as the new endpoint.
Our intent is not to undermine the importance of patch management. Patch management is and will be a critical part of the vulnerability management lifecycle that organizations can’t afford to neglect. Organizations can, however, reduce the scope of patching from multiple versions of different browsers on multiple operating systems to a single remote browser by adopting RBI. Taking this approach means that routine maintenance and emergency patching is provided by the remote browser isolation vendor in the process, while reducing the attack surface of the local browsers which become a low risk HTML5 canvas for painting a secure pixel stream from the secure remote browser.Rajiv Raghunarayan is the Senior Vice President of Products and Marketing at Cyberinc and heads the product management, marketing and strategic alliances functions. Rajiv has more than two decades of experience in technology and marketing leadership positions at companies such as SentinelOne, FireEye and Cisco. His past experience includes areas of network security, email security, endpoint security, network management and WAN optimization. He holds a master's degree in software systems from Birla Institute of Technology, Pilani, and an MBA from UC Berkeley's Haas School of Business.
[i] “Costs and Consequences of Gaps in Vulnerability Response” by Ponemon Institute for ServiceNow: https://www.servicenow.com/lpayr/ponemon-vulnerability-survey.html
[iii] Forresters’s recent State of Application Security Report, https://resources.whitesourcesoftware.com/blog-whitesource/forresters-state-of-application-security-2020-key-takeaways
[v] All Roads Lead to the Browser: A SANS Buyer's Guide to Browser Isolation https://marketing.cyberinc.com/rs/407-WDX-307/images/A_SANS_Buyers_Guide_to_Browser_Isolation.pdf