How You Can Be Infected via Your Browser and How to Protect Yourself
In a perfect world, there would be no way for your computer to be infected via your browser. Browsers are supposed to run web pages in an untrusted sandbox, isolating them from the rest of your computer. Unfortunately, this doesn’t always happen.
Websites can use security holes in browsers or browser plugins to escape these sandboxes. Malicious websites will also try using social-engineering tactics to trick you.
Most people that are compromised through browsers are compromised through their browsers’ plugins. Oracle’s Java is the worst, most dangerous culprit. Apple and Facebook recently had internal computers compromised because they accessed websites containing malicious Java applets. Their Java plugins could have been completely up-to-date – it wouldn’t matter, because the latest versions of Java still contain unpatched security vulnerabilities.
To protect yourself, you should uninstall Java entirely. If you can’t because you need Java for a desktop application like Minecraft, you should at least disable the Java browser plugin to protect yourself.
Other browser plugins, particularly Adobe’s Flash player and PDF reader plugins, also regularly have to patch security vulnerabilities. Adobe has become better than Oracle at responding to these issues and patching their plugins, but it’s still common to hear about a new Flash vulnerability being exploited.
To protect yourself from plugin vulnerabilities, follow these steps:
- • Use a website like Firefox’s plugin check to see if you have any out-of-date plugins.
- • Update any out-of-date plugins immediately.
- • Uninstall plugins you don’t use. If you don’t use the Java plugin, you shouldn’t have it installed. This helps reduce your “attack surface
- • Consider using the click-to-play plugins feature in Chrome or Firefox, which prevents plugins from running except when you specifically request them.
- • Ensure you’re using an antivirus on your computer.
Protecting yourself from browser security vulnerabilities is simple:
- • Keep your web browser updated. All major browsers now check for updates automatically. Leave the auto-update feature enabled to stay protected.
- • Ensure you’re running an antivirus on your computer. As with plugins, this is the last line of defense against a zero-day vulnerability in a browser that allows malware to get onto your computer.
Malicious web pages try to trick you into downloading and running malware. They often do this using “social engineering” – in other words, they try to compromise your system by convincing you to let them in under false pretenses, not by compromising your browser or plugins themselves.
This type of compromise isn’t just limited to your web browser – malicious email messages may also try to trick you into opening unsafe attachments or downloading unsafe files.
However, many people are infected with everything from adware and obnoxious browser toolbars to viruses and Trojans via social-engineering tricks that take place in their browsers:
- • ActiveX controls – A malicious website pushing a dangerous ActiveX control may say the control is necessary to access some content, but it may actually exist to infect your computer. When in doubt, don’t agree to run an ActiveX control.
- • Auto-Downloading Files: A malicious website may attempt to automatically download an EXE file or another type of dangerous file onto your computer in the hopes that you will run it. If you didn’t specifically request a download and don’t know what it is, don’t download a file that automatically pops up and asks you where to save it.
- • Fake Download Links: On websites with bad ad networks – or websites where pirated content is found – you’ll often see advertisements imitating download buttons. These advertisements try to trick people into downloading something they’re not looking for by masquerading as a real download link.
- • “You Need a Plugin to Watch This Video”: If you stumble across a website that says you need to install a new browser plug-in or codec to play a video, beware.
- • “Your Computer is Infected”: You may see advertisements saying your computer is infected and insisting you need to download an EXE file to clean things up. If you do download this EXE file and run it, your computer probably will be infected.
This isn’t an exhaustive list. Malicious people are constantly on the look-out for new ways to trick people.