With an estimated 2.65 billion global users, Google Chrome is the world’s most widely used web browser by a large margin. Though alternatives like Apple Safari, Microsoft Edge, and Mozilla Firefox are available, their combined market share is just over one third of Chrome’s. Naturally, that large install base is attractive to attackers. Although raw vulnerability counts (and, to a lesser extent, severity scores) tend to be poor proxies for how vulnerable a piece of software actually is, they can provide some indication of just how much effort adversaries might be investing to target it. In 2022, Chrome had more than double the number of vulnerabilities of the next closest browser. In 2023 so far, Chrome has had more than seven times the number of vulnerabilities discovered, compared to the next closest browser. Although Google is working diligently to harden Chrome, they nonetheless had to issue nine emergency patches for in-the-wild exploitation of zero day vulnerabilities—one about every five and a half weeks—in 2022.
When it comes to browsers, enterprises are microcosms of the consumer world. Browsers are employees’ number one tool, and the attack surface doesn’t magically shrink or vanish simply because they are being used for work. No business wants to be in the headlines for falling victim to a cyberattack, so protecting browsers should be an important priority for IT and security teams. There are multiple strategies and techniques for protecting browsers, each of which has a varying likelihood of success, but here are some of the most common approaches for protecting users of Chrome (or any browser):
Applying patches
Conventional wisdom holds that installing updates and patches is essential to protecting against cyberthreats. While it’s a prudent habit for individuals and organizations alike, some exploitable vulnerabilities may be unknown to browser vendors meaning no patch is available. And even if a vulnerability has been disclosed, organizations may still find themselves in the “patch gap”.
Patching is one important part, but not all, of the equation.
Worse still, even if a patch has been issued, it does not necessarily mean that the underlying issue has been resolved. In fact, half of Chrome’s zero day vulnerabilities discovered in the first six months of 2022 actually targeted variants of previously patched vulnerabilities.
Regular patching is undoubtedly beneficial to an organization and can help to significantly reduce exposure, but properly securing the browser requires more than a regular patching cadence.
Switching browsers
As Chrome exploits and emergency patches grabbed headlines over the course of 2022, the idea that enterprises could (and should) explore other options began to take hold. Enterprise browsers have become a focal point in the enterprise browser security space and although dedicated, proprietary browsers may initially seem like a practical alternative, the reality is they are based on the Chromium open source project meaning that they have all the same vulnerabilities as Chrome. Moreover, because their development pipelines and release cycles are different, patch availability may differ from mainstream Chrome.
Apart from the potential security issues, there is also operational overhead associated with migration to a new browser. IT teams must oversee the installation and ongoing support, while end-users must adjust to a new experience, migrate their preferences and settings, and adjust their workflows. In both cases, there is a risk of increased friction that can create a drag on productivity.
External solutions
Some organizations looking for browser security may turn to a combination of solutions which includes Cloud Access Service Brokers (CASBs), Secure Web Gateways (SWGs), or Endpoint Detection and Response (EDR) tools.
CASB, SWG, and EDR tools all have the potential to be effective countermeasures against browser attacks, but they all function outside of the browser. CASBs are designed to control access to enterprise SaaS resources, SWGs are intended to prevent access to harmful online content and block web-based attacks. Unfortunately, both rely on traffic steering to ensure that they can process the traffic. This creates complexity because it circumvents normal routing behavior and it can be a particular challenge for remote workers (who must have client software installed for the traffic steering to take place).
EDR tools can help detect and sometimes remediate attacks, but since they operate at the OS-level—rather than being able to directly monitor the execution environment of browsers—they are only capable of detecting attacks that have already escaped the browser sandbox.
Even if browsers appear well-defended by a multi-layered security stack, these indirect solutions can end up leaving the browser exposed, which illustrates the difficulty in achieving comprehensive browser security. Enterprises should seek out protection that is built into the browser in order to effectively secure their users and assets.
Despite the steady progress that has been made in improving the security of browsers such as Chrome, Firefox, and Safari, enterprises must still implement additional security measures to ensure their end users and business assets are protected.
The most effective strategy involves more than patch management, wholesale migrations to new browsers, or adopting a set of piecemeal solutions. The proper enterprise browser security tool should work with the devices and the browsers that an organization is already using to ensure continuity and minimize disruptions to business operations.
A comprehensive approach to browser security and compliance that operates directly within the browser and eliminates the need for multiple different security tools should be the priority for enterprise IT and security teams, especially as threats targeting Chrome and other browsers continue to emerge.
