An Up-to-Date Browser Should Keep Users Safe From Most Exploit Kits

Exploit kits, once a preferred choice of attackers to invade a victim's browser and find way to their computer, are increasingly diminishing in their effectiveness. If you have an updated browser, chances are it packs adequate resources to fight such attacks. Catalin Cimpanu, writing for BleepingComputer: Exploit kits (EK) have been around on the criminal underground for more than a decade and were once pretty advanced, often being a place where researchers found zero-days on a regular basis. But as browsers got more secure in recent years, exploit kits started to die out in 2016-2017. Most operators were arrested, moved to other things, and nobody developed new exploits to add to the arsenal of EK left on the market, which slowly began falling behind when it came to their effectiveness to infect new victims.

A Palo Alto Networks report published yesterday details statistics about the vulnerabilities used by current exploit kits in the first three months of the year (Q1 2018). According to the gathered data, researchers found 1,583 malicious URLs across 496 different domains, leading to landing pages (URLs) where an EK attempted to run exploits only for only a meager eight vulnerabilities. All eight were old and known bugs, with the newest dating back to 2016. Seven of the eight vulnerabilities targeted Internet Explorer, meaning that using a more modern browser like Chrome and Firefox is a simple, yet effective way of avoiding falling victim to exploit kits.

Re: browser is inherently insecure

[Anonymous Coward]

Really? IE only sites today? I haven't seen one in years, with the exception of corporate intranet sites.
Today you're far more likely to see sites that mandate the use of Google Chrome.
Chrome is the new IE.

Re:

[sexconker]

I fucking hate the fact that a lot of sites are only tested in Chrome (if at all). Not only is Chrome not the only browser, it's not a particularly good one.

Re:

[sexconker]

If they tested with ANYTHING other than Chrome they'd see that half the styling and design hacks they slap on don't fucking work anywhere BUT Chrome.

Re:

[bobby]

and even then it's iffy

Re:

[bobby]

And which browesrs are we supposed to test with, apart from Chrome?

https://validator.w3.org/nu/ [w3.org]

http://jigsaw.w3.org/css-validator/ [w3.org]

Re:

[DontBeAMoran]

100% valid answer, I do use those tools but they're not browsers.

Re:

[bobby]

100% valid answer, I do use those tools but they're not browsers.

I think that's obvious. The point is: if everyone would adhere to the actual standards, much less testing, kludging, and wheel-spinning would be needed and we'd all be more productive.

Re:

[Required Snark]

Absolutely. Just like you don't have to treat a disease if less then 50% percent of the population is vulerable. Who cares if they die, if it's statistically insignificant?

As for FireFox/Mozilla, give up on that Pocket crap and whatever the halfassed social network is called and MAKE FIREFOX SECURE. No one who uses FF gives a rat's ass about your dreams of internet glory, just like they didn't care about that other idiot scheme to make a Mozilla version of Linux.

Stop being so dumb.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

I am using Brave on Android and it sucks rocks in many ways, I will probably switch back to Firefox. It is very bad at javascript and lots of things don't work correctly on it. I have a lot of problem with "intelligent" text entry fields, for example. They deselect, or text going into them isn't entered correctly.

Re:

[DontBeAMoran]

No shit! In other news, water is wet and Trump is a fucking moron!

Oh shit! Somebody better stop Trump, he's trying to make copies of himself!

Re:

[arglebargle_xiv]

Also, with Chromefox you've got a choice between an up to date browser or a browser where your extensions still work. If you want an up to date browser where your extensions don't work you may as well switch to the real Chrome, not a crappy, buggy clone of it. So your options are an old copy of Chromefox with working extensions or actual Chrome.

Re:

[kurkosdr]

Browser exploit kits are not profitable anymore because browsers auto-update, it's that simple. OSes on the other hand don't always auto-update (or update at all for the case of mobile devices and IoT ) which is where the exploit underground has moved...

Re:

[Zontar The Mindless]

"(remove spaces between characters & download)"

That's just sad.

TFS/TFA Misleading

[ElizabethGreene]

The article and summary implies that a currently patched version of IE would be vulnerable. This is not the case. :/

Microsoft, who in full disclosure is my employer, fails at a lot of things. You don't have to make up new ones on our behalf.

(This is obviously my opinion and not that of the company that buys my groceries. I understand that working for Microsoft means my opinion is invalid.)

Re:

[jon3k]

Don't worry no one uses IE so it doesn't matter.

Re:

[Tukz]

Your "employer" discontinued Internet Explorer, who cares if it's vulnerable? Don't use a discontinued product if you care about security.