Since a big chunk of the security threats companies face come from the Internet, IT must make sure users are running secure browsers. And as this recent security study shows, it’s not just the browser that matters, but also the extensions and add-ons users download.
These days, most browsers allow users to add extensions, or additional software that gives the browser more capabilities. And like any piece of software, browser extensions can contain vulnerabilities that open doors for hackers.
To get an idea of how often those add-ons create new vulnerabilities, a group of researchers from the University of California, Berkeley, studied 100 extensions released for Google’s popular open source browser, Chrome. The researchers looked at the 50 most popular extensions, as well as 50 others chosen at random.
What they found: 27% of the extensions contained at least one vulnerability that could leak private information to hackers. The researchers said seven of the vulnerable extensions were in use by 300,000 people or more.
And it isn’t just Chrome that may create security risks through vulnerable extensions. Security researchers regularly discover extensions for Mozilla’s Firefox that are vulnerable, or even outright malicious. And Internet Explorer’s popularity means that cybercriminals focus a lot of energy into finding bugs not just in the browser itself, but also in its extensions.
The study’s findings echo the warnings laid out recently by the Online Trust Alliance (OTA). The OTA has warned businesses and individuals that they must keep their browsers up to date — and that includes keeping any plug-ins and extensions patched.
IT departments may also consider policies and controls that restrict users’ ability to install extensions without approval.