Attack profiles: Browsers go head-to-head in common attack scenarios

By Rodney Thayer, Network World
March 21, 2005 12:08 AM ET

. What's this?

Attacks against browsers generally fall into three categories: Round 1: Protocol attacks against content processed directly by the browser. Round 2: Attacks against active scripting language running within the browser environment. Round 3: Attacks against data delivered through the browser but processed by a plug-in or other component such as a Dynamic Link Library that provides image display services.

Round 1: Slight advantage: Internet Explorer.

Internet Explorer and Firefox are both potentially vulnerable to attacks via Web site content they process directly. Internet Explorer is less vulnerable in this area probably because Microsoft has put so much work into securing its browser in response to all of the hacker activity targeting it. But theoretically, because they both process essentially the same HTML datastream format, either browser could be attacked in that manner.

Round 2: Advantage: Firefox.

In the second category, Internet Explorer provides ActiveX, JavaScript and many other mechanisms to execute code delivered through Web pages such as Visual Basic scripts or Active Server Page and .Net content. Because there are more ways to write programs that are delivered through the browser, Explorer is more susceptible to attacks in this manner. This is the downside of all those sophisticated features that work in a pure Microsoft Web environment.

Round 3: No advantage.

Both browsers support plug-ins, which, independently of the browser, can be vulnerable to attack. A recent example is the RealOne plug-in vulnerability . While this vulnerability was specifically found with Explorer, the problem lies in the plug-in and there is no technical reason to assume this sort of problem will not happen someday with Firefox.