8

When browsing I am ocassionally given warnings about pages that host malware "that could damage my computer". I am seriously perplexed as to why, in 2010, browsers still have possible exploits and can be cracked.

My question is "Why?". I'm assuming it's because of the quick development that occured in the browser wars which were unsufficiently tested, but I'm unsure. Surely WebKit would have patched all the issues in KHTML, or Gecko sorted out the flaws in Netscape's engine, and the IE coders sorted through their codebase to eliminate possible flaws?

(Somewhat related: Which browser is the most secure? (research and practically based).)

Community
  • 1
Humphrey Bogart
  • 190

8 Answers8

10

Complexity, complexity, complexity.

A modern browser supports

  • Retrieving data over multiple protocols (http, https, ftp, ...)
  • Rendering multiple different markup languages (plain html (in several versions), xhtml, html with css ...)
  • Storing data and retrieving data at the request of remote users (cookies)
  • Two (or more!) Turing complete programing environments to run code supplied from the outside (javascript, java, maybe flash ...)
  • Some kind of internal options database
  • (stolen from broam's insightful answer, so go vote for it) support a plug-in architecture that allows third party code access to the browser internals

and is expected to be fast, have clever caching to make it faster, and to have an expressive and powerful interface.

There is a heck of lot going there, and they are big, complex pieces of software.

Community
  • 1
dmckee --- ex-moderator kitten
  • 7,925
8

One vector that people haven't mentioned: plugins. The browser may be secure, but the plugin might have wide holes in it...and with ubiquitous plugins like Flash...exploits ahoy matey.

Broam
  • 4,084
4

Many answers here, all touching on different reasons, but the fundamental answer is "because that's where the money's at."

Lots of other software probably has similar or more numbers of bugs, but they're not usually exploitable since you need to convince a user to expose them to the wild internet.

chris
  • 9,595
3

Partially it is the fact that some updates are rolled out faster then they should be. But one prevailing fact is a blog post Jeff posted awhile back here when ran as admin anything can happen. Also since each computer is different running different things it isn't always the browser itself that has an exploit. Sometimes it is a third party plugin like Flash.

Unfundednut
  • 7,190
3

Part of the problem is that the performance of browsers (like word processors and CAD programs) is highly dependent on the data, and as there can be (pretty much) an infinite variety of data there's no way that the developers can test every single combination to see if it gives undesirable results.

Another aspect is that to get the interactivity that users and (more importantly) web site owners want the browsers have to execute code. This is another weak point.

ChrisF
  • 41,540
2

dmckee's answer is right on, but it can all be summed up with one thing: complex interaction with unexpected inputs. Your browser has to run code/markup, plugins, etc., deal with user input, plugins that run code, etc. It's impossible to test for all interactions, because you'd need the entire Internet -- present and future -- in your test suite.

When you test software, you test against a range of normal and abnormal inputs and then you're ... ready for beta. So this is all part of the infinite beta phase :)

Also as chris says, that's where the money's at, meaning that browsers are a very interesting target.

Dan Rosenstark
  • 6,698
1

Fact is that every software has its weak points. None is bug free. And by fixing bugs, new ones are introduced.

The other point is that the browser is one of the most used application and you can reach at a lot of people easily. That too makes it interesting for attackers to find the weak points.

Felix
  • 4,511
0

You might be right if all the updates to browsers were just bug fixes and tweaks to the original version. However, each new version adds more features which introduce more potential for bugs and security holes.

Also, security and usability are often at opposite ends of a trade-off, and features sell more software than the lack of security issues.

JohnFx
  • 1,457