# Browser security

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Browser_security
> Markdown URL: https://mediated.wiki/source/Browser_security.md
> Source: https://en.wikipedia.org/wiki/Browser_security
> Source revision: 1326325075
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Application of internet security to web browsers

**Browser security** is the application of [Internet security](/source/Internet_security) to [web browsers](/source/Web_browser) in order to protect [networked](/source/Computer_network) data and [computer systems](/source/Computer_system) from breaches of privacy or [malware](/source/Malware). Security exploits of [browsers](/source/Web_browser) often use [JavaScript](/source/JavaScript), sometimes with [cross-site scripting](/source/Cross-site_scripting) (XSS) with a secondary payload using [Adobe Flash](/source/Adobe_Flash). Security exploits can also take advantage of [vulnerabilities](/source/Vulnerability_(computing)) (security holes) that are commonly exploited in all [browsers](/source/Web_browser).

## History

The first web browser, [WorldWideWeb](/source/WorldWideWeb), created in 1990 by Sir [Tim Berners-Lee](/source/Tim_Berners-Lee), was rudimentary, using the [HTTP protocol](/source/HTTP) to navigate between documents. The [Mosaic web browser](/source/Mosaic_web_browser), released in April 1993, featured a graphical user interface that made the Web more accessible, sparking the Internet boom of the 1990s. This boom led to the browser wars between [Netscape Navigator](/source/Netscape_Navigator), developed by Mosaic's creators, and Microsoft's [Internet Explorer](/source/Internet_Explorer). This fierce competition was characterized by a rapid race to incorporate new features, often at the expense of user [privacy](/source/Privacy) and [security](/source/Computer_security).[1][2] Features were added to HTML to support interoperability with proprietary systems like [VBScript](/source/VBScript) and [Java applets](/source/Java_applet), and vendors aimed to ensure their browsers could handle websites optimized for competitor. This led to increasingly convoluted set of undocumented hacks and fault tolerant architectures that were often hard to standardize due to competing interests.[3] After the end of this period, colloquially known as the [first browser war](/source/First_browser_war), Internet Explorer captured over 80% of the market. However, despite being in this dominant position, Microsoft, the creator of Internet Explorer did not invest significantly into the browser after this period.[4] This led to the proliferation of security issues, browser [vulnerabilities](/source/Vulnerability) and web [worms](/source/Computer_worm) leading eventually to the creation of modern browsers like [Mozilla Firefox](/source/Firefox), [Safari](/source/Safari_(web_browser)) and eventually [Google Chrome](/source/Google_Chrome).[3]

## Security

Web browsers can be breached in one or more of the following ways:

- [Operating system](/source/Operating_system) is breached and malware is reading/modifying the browser memory space in privilege mode[5]

- Operating system has a malware running as a background process, which is reading/modifying the browser memory space in privileged mode

- Main browser executable can be hacked

- Browser components may be hacked

- Browser plugins can be hacked

- Browser network communications could be intercepted outside the machine[6]

The browser may not be aware of any of the breaches above and may show the user a safe connection is made.

Whenever a browser communicates with a website, the website, as part of that communication, collects some information about the browser (in order to process the formatting of the page to be delivered, if nothing else).[7] If malicious code has been inserted into the website's content, or in a worst-case scenario, if that website has been specifically designed to host malicious code, then vulnerabilities specific to a particular browser can allow this malicious code to run processes within the browser application in unintended ways (and remember, one of the bits of information that a website collects from a browser communication is the browser's identity- allowing specific vulnerabilities to be exploited).[8] Once an attacker is able to run processes on the visitor's machine, then exploiting known security vulnerabilities can allow the attacker to gain privileged access (if the browser isn't already running with privileged access) to the "infected" system in order to perform an even greater variety of malicious processes and activities on the machine or even the victim's whole network.[9]

Breaches of web browser security are usually for the purpose of bypassing protections to display [pop-up advertising](/source/Pop-up_advertising)[10] collecting [personally identifiable information](/source/Personally_identifiable_information) (PII) for either [Internet marketing](/source/Internet_marketing) or [identity theft](/source/Identity_theft), [website tracking](/source/Website_tracking) or [web analytics](/source/Web_analytics) about a user against their will using tools such as [web bugs](/source/Web_bug), [Clickjacking](/source/Clickjacking), [Likejacking](/source/Likejacking) (where [Facebook](/source/Facebook)'s [like button](/source/Like_button) is targeted),[11][12][13][14] [HTTP cookies](/source/HTTP_cookie), [zombie cookies](/source/Zombie_cookie) or [Flash cookies](/source/Local_shared_object) (Local Shared Objects or LSOs);[15] installing [adware](/source/Adware), [viruses](/source/Computer_virus), [spyware](/source/Spyware) such as [Trojan horses](/source/Trojan_horse_(computing)) (to gain access to users' [personal computers](/source/Personal_computer) via [cracking](/source/Cracker_(computer_security))) or other [malware](/source/Malware) including [online banking](/source/Online_banking) theft using [man-in-the-browser](/source/Man-in-the-browser) attacks.

In depth study of vulnerabilities in Chromium web-browser indicates that, Improper Input Validation (CWE-20) and Improper Access Control (CWE-284) are the most occurring root causes for security vulnerabilities.[16] Furthermore, among vulnerabilities examined at the time of this study, 106 vulnerabilities occurred in Chromium because of reusing or importing vulnerable versions of third party libraries.

Vulnerabilities in the web browser software itself can be minimized by keeping browser software updated,[17] but will not be sufficient if the underlying operating system is compromised, for example, by a rootkit.[18] Some subcomponents of browsers such as scripting, add-ons, and cookies[19][20][21] are particularly vulnerable ("the [confused deputy problem](/source/Confused_deputy_problem)") and also need to be addressed.

Following the principle of [defence in depth](/source/Defence_in_depth), a fully patched and correctly configured browser may not be sufficient to ensure that browser-related security issues cannot occur. For example, a [rootkit](/source/Rootkit) can [capture keystrokes](/source/Keystroke_logger) while someone logs into a banking website, or carry out a [man-in-the-middle](/source/Man-in-the-middle) attack by modifying network traffic to and from a web browser. [DNS hijacking](/source/DNS_hijacking) or [DNS spoofing](/source/DNS_spoofing) may be used to return false positives for mistyped website names, or to subvert search results for popular search engines. Malware such as [RSPlug](/source/RSPlug) simply modifies a system's configuration to point at rogue DNS servers.

Browsers can use more secure methods of [network communication](/source/Network_protocols) to help prevent some of these attacks:

- [DNS](/source/Domain_Name_System): [DNSSec](/source/DNSSec) and [DNSCrypt](/source/DNSCrypt), for example with non-default [DNS servers](/source/DNS_server) such as [Google Public DNS](/source/Google_Public_DNS) or [OpenDNS](/source/OpenDNS).

- [HTTP](/source/HTTP): [HTTP Secure](/source/HTTP_Secure) and [SPDY](/source/SPDY) with digitally signed [public key certificates](/source/Public_key_certificate) or [Extended Validation Certificates](/source/Extended_Validation_Certificate).

Perimeter defenses, typically through firewalls and the use of [filtering](/source/Content-control_software) [proxy servers](/source/Proxy_server) that block malicious websites and perform antivirus scans of any file downloads, are commonly implemented as a best practice in large organizations to block malicious network traffic before it reaches a browser.

The topic of browser security has grown to the point of spawning the creation of entire organizations, such as The Browser Exploitation Framework Project,[22] creating platforms to collect tools to breach browser security, ostensibly in order to test browsers and network systems for vulnerabilities.

### Plugins and extensions

Although not part of the browser per se, browser [plugins](/source/Plug-in_(computing)) and [extensions](/source/Browser_extension) extend the [attack surface](/source/Attack_surface), exposing vulnerabilities in [Adobe Flash Player](/source/Adobe_Flash_Player#Security), [Adobe (Acrobat) Reader](/source/Adobe_Acrobat#Security), [Java plugin](/source/Java_plugin), and [ActiveX](/source/ActiveX) that are commonly exploited. Researchers[23] have extensively studied the security architecture of various web-browsers in particular those relying on plug-and-play designs. This study has identified 16 common vulnerability types, and 19 potential mitigations. Malware may also be implemented as a browser extension, such as a [browser helper object](/source/Browser_helper_object) in the case of Internet Explorer.[24] In various other exploits websites which were designed to look authentic and included rogue 'update Adobe Flash' popups designed as visual cues to download malware payloads in their place.[25] Some browsers like [Google Chrome](/source/Google_Chrome#Security) and Mozilla [Firefox](/source/Firefox#Security) can block—or warn users of—insecure plugins.

### Adobe Flash

Main article: [Local shared object § Privacy concerns](/source/Local_shared_object#Privacy_concerns)

An August 2009 study by the [Social Science Research Network](/source/Social_Science_Research_Network) found that 50% of websites using Flash were also employing Flash cookies, yet privacy policies rarely disclosed them, and user controls for privacy preferences were lacking.[26] Most browsers' [cache](/source/Web_cache) and history delete functions do not affect Flash Player's writing Local Shared Objects to its own cache, and the user community is much less aware of the existence and function of Flash cookies than HTTP cookies.[27] Thus, users having deleted HTTP cookies and purged browser history files and caches may believe that they have purged all tracking data from their computers while in fact Flash browsing history remains. As well as manual removal, the BetterPrivacy add-on for Firefox can remove Flash cookies.[15] [Adblock Plus](/source/Adblock_Plus) can be used to filter out specific threats[10] and [Flashblock](/source/Flashblock) can be used to give an option before allowing content on otherwise trusted sites.[28]

[Charlie Miller](/source/Charlie_Miller_(security_researcher)) recommended "not to install Flash"[29] at the [computer security conference](/source/Computer_security_conference) CanSecWest. Several other security experts also recommend to either not install Adobe Flash Player or to block it.[30]

## Password security model

The contents of a web page are arbitrary and controlled by the entity owning the domain name displayed in the address bar. If [HTTPS](/source/HTTPS) is used, then encryption is used to secure against attackers with access to the network from changing the page contents en route. When presented with a password field on a web page, a user is supposed to look at the address bar to determine whether the domain name in the address bar is the correct place to send the password.[31] For example, for Google's single sign-on system (used on e.g. YouTube.com), the user should always check that the address bar says "https://accounts.google.com" before inputting their password.

An un-compromised browser guarantees that the address bar is correct. This guarantee is one reason why browsers will generally display a warning when entering fullscreen mode, on top of where the address bar would normally be, so that a fullscreen website cannot make a fake browser user interface with a fake address bar.[32]

## Browser hardening

Browsing the Internet as a [least-privilege](/source/Principle_of_least_privilege) user account (i.e. without administrator privileges) limits the ability of a security exploit in a web browser from compromising the whole operating system.[33]

[Internet Explorer 4](/source/Internet_Explorer_4) and later allows the blocklisting[34][35][36] and allowlisting[37][38] of [ActiveX](/source/ActiveX) controls, add-ons and browser extensions in various ways.

[Internet Explorer 7](/source/Internet_Explorer_7) added "protected mode", a technology that hardens the browser through the application of a security sandboxing feature of [Windows Vista](/source/Windows_Vista) called [Mandatory Integrity Control](/source/Mandatory_Integrity_Control).[39] [Google Chrome](/source/Google_Chrome) provides a [sandbox](/source/Sandbox_(computer_security)) to limit web page access to the operating system.[40]

Suspected malware sites reported to Google,[41] and confirmed by Google, are flagged as hosting malware in certain browsers.[42]

There are third-party extensions and plugins available to [harden](/source/Hardening_(computing)) even the latest browsers,[43] and some for older browsers and operating systems. [Whitelist](/source/Whitelist)-based software such as [NoScript](/source/NoScript) can block [JavaScript](/source/JavaScript) and Adobe Flash which is used for most attacks on privacy, allowing users to choose only sites they know are safe – [AdBlock Plus](/source/AdBlock_Plus) also uses whitelist [ad filtering](/source/Ad_filtering) rules subscriptions, though both the software itself and the filtering list maintainers have come under controversy for by-default allowing some sites to pass the pre-set filters.[44] The [US-CERT](/source/United_States_Computer_Emergency_Readiness_Team) recommends to block [Flash](/source/Adobe_Flash) using [NoScript](/source/NoScript).[45]

## Fuzzing

Modern web browsers undergo extensive [fuzzing](/source/Fuzzing) to uncover vulnerabilities. The [Chromium](/source/Chromium_(web_browser)) code of [Google Chrome](/source/Google_Chrome) is continuously fuzzed by the Chrome Security Team with 15,000 cores.[46] For [Microsoft Edge](/source/Microsoft_Edge) and [Internet Explorer](/source/Internet_Explorer), [Microsoft](/source/Microsoft) performed fuzzed testing with 670 machine-years during product development, generating more than 400 billion DOM manipulations from 1 billion HTML files.[47][46]

## See also

- [Man-in-the-browser](/source/Man-in-the-browser)

- [Session hijacking](/source/Session_hijacking)

- [Internet safety](/source/Internet_safety)

- [Application security](/source/Application_security)

## References

1. **[^](#cite_ref-1)** Franken, Gertjan (13 February 2024). [*Security and Privacy Policy Bugs in Browser Engines*](https://lirias.kuleuven.be/4131122&lang=en) (Thesis). pp. 3, 4.

1. **[^](#cite_ref-2)** Heiderich, Mario; Inführ, Alex; Fäßler, Fabian; Krein, Nikolai; Kinugawa, Masato (29 November 2017). ["Cure53 Browser Security White Paper"](https://cure53.de/browser-security-whitepaper.pdf) (PDF). [Cure53](/source/Cure53). p. 9.

1. ^ [***a***](#cite_ref-:0_3-0) [***b***](#cite_ref-:0_3-1) Zalewski, Michal (15 November 2011). [*The Tangled Web: A Guide to Securing Modern Web Applications*](https://books.google.com/books?id=6sxNzyRmxE4C). No Starch Press. pp. 10–12. [ISBN](/source/ISBN_(identifier)) [978-1-59327-417-7](https://en.wikipedia.org/wiki/Special:BookSources/978-1-59327-417-7).

1. **[^](#cite_ref-4)** Cunningham, Andrew (15 June 2022). ["Internet Explorer was once synonymous with the Internet, but today it's gone for good"](https://arstechnica.com/gadgets/2022/06/remembering-internet-explorer-the-now-dead-browser-that-once-powered-the-internet/). *Ars Technica*. Retrieved 13 January 2025.

1. **[^](#cite_ref-5)** Smith, Dave (21 March 2013). ["The Yontoo Trojan: New Mac OS X Malware Infects Google Chrome, Firefox And Safari Browsers Via Adware"](http://www.ibtimes.com/yontoo-trojan-new-mac-os-x-malware-infects-google-chrome-firefox-safari-browsers-adware-1142969). IBT Media Inc. [Archived](https://web.archive.org/web/20130324025727/http://www.ibtimes.com/yontoo-trojan-new-mac-os-x-malware-infects-google-chrome-firefox-safari-browsers-adware-1142969) from the original on 24 March 2013. Retrieved 21 March 2013.

1. **[^](#cite_ref-6)** Goodin, Dan. ["MySQL.com breach leaves visitors exposed to malware"](https://www.theregister.co.uk/2011/09/26/mysql_hacked/). *[The Register](/source/The_Register)*. [Archived](https://web.archive.org/web/20110928045543/http://www.theregister.co.uk/2011/09/26/mysql_hacked/) from the original on 28 September 2011. Retrieved 26 September 2011.

1. **[^](#cite_ref-7)** Clinton Wong. ["HTTP Transactions"](https://web.archive.org/web/20130613235658/http://oreilly.com/catalog/httppr/chapter/http_pkt.html). O'Reilly. Archived from [the original](http://oreilly.com/catalog/httppr/chapter/http_pkt.html) on 13 June 2013.

1. **[^](#cite_ref-8)** ["9 Ways to Know Your PC is Infected with Malware"](https://web.archive.org/web/20131111192509/http://www.ebernieinc.com/9-ways-to-know-your-pc-is-infected-with-malware/). Archived from [the original](http://www.ebernieinc.com/9-ways-to-know-your-pc-is-infected-with-malware/) on 11 November 2013.

1. **[^](#cite_ref-9)** ["Symantec Security Response Whitepapers"](https://web.archive.org/web/20130609070315/http://www.symantec.com/security_response/whitepapers.jsp?inid=us_sr_flyout_publications_security). Archived from [the original](http://www.symantec.com/security_response/whitepapers.jsp?inid=us_sr_flyout_publications_security) on 9 June 2013.

1. ^ [***a***](#cite_ref-mozilla-adblock-plus_10-0) [***b***](#cite_ref-mozilla-adblock-plus_10-1) [Palant, Wladimir](/source/Wladimir_Palant). ["Adblock Plus :: Add-ons for Firefox"](https://addons.mozilla.org/firefox/addon/adblock-plus). *[Mozilla Add-ons](/source/Mozilla_Add-ons)*. [Mozilla Foundation](/source/Mozilla_Foundation).

1. **[^](#cite_ref-11)** ["Facebook privacy probed over 'like,' invitations"](https://www.cbc.ca/news/science/facebook-privacy-probed-over-like-invitations-1.968585). CBC News. 23 September 2010. [Archived](https://web.archive.org/web/20120626205135/http://www.cbc.ca/news/technology/story/2010/09/23/facebook-like-invitations.html) from the original on 26 June 2012. Retrieved 24 August 2011.

1. **[^](#cite_ref-12)** Albanesius, Chloe (19 August 2011). ["German Agencies Banned From Using Facebook, 'Like' Button"](https://www.pcmag.com/article2/0,2817,2391440,00.asp). *[PC Magazine](/source/PC_Magazine)*. [Archived](https://web.archive.org/web/20120329043111/http://www.pcmag.com/article2/0,2817,2391440,00.asp) from the original on 29 March 2012. Retrieved 24 August 2011.

1. **[^](#cite_ref-cnet-privacy-scrutiny_13-0)** [McCullagh, Declan](/source/Declan_McCullagh) (2 June 2010). ["Facebook 'Like' button draws privacy scrutiny"](https://news.cnet.com/8301-13578_3-20006532-38.html). [CNET News](/source/CNET_News). [Archived](https://web.archive.org/web/20111205014333/http://news.cnet.com/8301-13578_3-20006532-38.html) from the original on 5 December 2011. Retrieved 19 December 2011.

1. **[^](#cite_ref-14)** Roosendaal, Arnold (30 November 2010). "Facebook Tracks and Traces Everyone: Like This!". [SSRN](/source/SSRN_(identifier)) [1717563](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1717563).

1. ^ [***a***](#cite_ref-mozilla-betterprivacy_15-0) [***b***](#cite_ref-mozilla-betterprivacy_15-1) ["BetterPrivacy :: Add-ons for Firefox"](https://addons.mozilla.org/firefox/addon/betterprivacy). *[Mozilla Foundation](/source/Mozilla_Foundation)*.[*[permanent dead link](https://en.wikipedia.org/wiki/Wikipedia:Link_rot)*]

1. **[^](#cite_ref-16)** Santos, J. C. S.; Peruma, A.; Mirakhorli, M.; Galstery, M.; Vidal, J. V.; Sejfia, A. (April 2017). ["Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird"](https://www.researchgate.net/publication/317072830). *2017 IEEE International Conference on Software Architecture (ICSA)*. pp. 69–78. [doi](/source/Doi_(identifier)):[10.1109/ICSA.2017.39](https://doi.org/10.1109%2FICSA.2017.39). [ISBN](/source/ISBN_(identifier)) [978-1-5090-5729-0](https://en.wikipedia.org/wiki/Special:BookSources/978-1-5090-5729-0). [S2CID](/source/S2CID_(identifier)) [29186731](https://api.semanticscholar.org/CorpusID:29186731).

1. **[^](#cite_ref-17)** State of Vermont. ["Web Browser Attacks"](https://web.archive.org/web/20120213180056/http://itsecurity.vermont.gov/threats/web_attacks). Archived from [the original](http://itsecurity.vermont.gov/threats/web_attacks) on 13 February 2012. Retrieved 11 April 2012.

1. **[^](#cite_ref-18)** ["Windows Rootkit Overview"](https://web.archive.org/web/20130516120234/https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf) (PDF). Symantec. Archived from [the original](https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf) (PDF) on 16 May 2013. Retrieved 20 April 2013.

1. **[^](#cite_ref-19)** ["Cross Site Scripting Attack"](http://www.acunetix.com/websitesecurity/cross-site-scripting/). [Archived](https://web.archive.org/web/20130515154916/http://www.acunetix.com/websitesecurity/cross-site-scripting/) from the original on 15 May 2013. Retrieved 20 May 2013.

1. **[^](#cite_ref-20)** Lenny Zeltser. ["Mitigating Attacks on the Web Browser and Add-Ons"](http://blog.zeltser.com/post/2527547617/targeting-web-browser). [Archived](https://web.archive.org/web/20130507092833/http://blog.zeltser.com/post/2527547617/targeting-web-browser) from the original on 7 May 2013. Retrieved 20 May 2013.

1. **[^](#cite_ref-21)** Dan Goodin (14 March 2013). ["Two new attacks on SSL decrypt authentication cookies"](https://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/). [Archived](https://web.archive.org/web/20130515021000/http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/) from the original on 15 May 2013. Retrieved 20 May 2013.

1. **[^](#cite_ref-22)** ["beefproject.com"](http://beefproject.com/). [Archived](https://web.archive.org/web/20110811035950/http://beefproject.com/) from the original on 11 August 2011.

1. **[^](#cite_ref-23)** Santos, Joanna C. S.; Sejfia, Adriana; Corrello, Taylor; Gadenkanahalli, Smruthi; Mirakhorli, Mehdi (2019). ["Achilles' heel of plug-and-Play software architectures: A grounded theory based approach"](https://www.researchgate.net/publication/334130422). *Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering*. ESEC/FSE 2019. New York, NY, US: ACM. pp. 671–682. [doi](/source/Doi_(identifier)):[10.1145/3338906.3338969](https://doi.org/10.1145%2F3338906.3338969). [ISBN](/source/ISBN_(identifier)) [978-1-4503-5572-8](https://en.wikipedia.org/wiki/Special:BookSources/978-1-4503-5572-8). [S2CID](/source/S2CID_(identifier)) [199501995](https://api.semanticscholar.org/CorpusID:199501995).

1. **[^](#cite_ref-24)** ["How to Create a Rule That Will Block or Log Browser Helper Objects in Symantec Endpoint Protection"](https://web.archive.org/web/20130514095634/http://www.symantec.com/business/support/index?page=content&id=TECH94965). Symantec.com. Archived from [the original](http://www.symantec.com/business/support/index?page=content&id=TECH94965) on 14 May 2013. Retrieved 12 April 2012.

1. **[^](#cite_ref-25)** Aggarwal, Varun (30 April 2021). ["Breaking: Fake sites of 50 Indian News portals luring gullible readers"](https://cio.economictimes.indiatimes.com/news/digital-security/breaking-fake-sites-of-50-indian-news-portals-luring-gullible-readers/82321192). *The Economic Times CIO*. [Archived](https://web.archive.org/web/20230226142811/https://cio.economictimes.indiatimes.com/news/digital-security/breaking-fake-sites-of-50-indian-news-portals-luring-gullible-readers/82321192) from the original on 26 February 2023. Retrieved 26 February 2023.

1. **[^](#cite_ref-26)** Soltani, Ashkan; Canty, Shannon; Mayo, Quentin; Thomas, Lauren; Hoofnagle, Chris Jay (10 August 2009). "Soltani, Ashkan, Canty, Shannon, Mayo, Quentin, Thomas, Lauren and Hoofnagle, Chris Jay: Flash Cookies and Privacy". [SSRN](/source/SSRN_(identifier)) [1446862](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862).

1. **[^](#cite_ref-27)** ["Local Shared Objects -- "Flash Cookies""](https://epic.org/privacy/cookies/flash.html). Electronic Privacy Information Center. 21 July 2005. [Archived](https://web.archive.org/web/20100416041024/http://epic.org/privacy/cookies/flash.html) from the original on 16 April 2010. Retrieved 8 March 2010.

1. **[^](#cite_ref-mozilla-flashblock_28-0)** [Chee, Philip](/source/Philip_Chee). ["Flashblock :: Add-ons for Firefox"](https://addons.mozilla.org/firefox/addon/flashblock). *[Mozilla Add-ons](/source/Mozilla_Add-ons)*. [Mozilla Foundation](/source/Mozilla_Foundation).{{[cite web](https://en.wikipedia.org/wiki/Template:Cite_web)}}: CS1 maint: deprecated archival service ([link](https://en.wikipedia.org/wiki/Category:CS1_maint:_deprecated_archival_service))

1. **[^](#cite_ref-29)** ["Pwn2Own 2010: interview with Charlie Miller"](https://web.archive.org/web/20110424022058/http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/). 1 March 2010. Archived from [the original](http://www.oneitsecurity.it/01/03/2010/interview-with-charlie-miller-pwn2own/) on 24 April 2011. Retrieved 27 March 2010.

1. **[^](#cite_ref-30)** ["Expert says Adobe Flash policy is risky"](https://news.cnet.com/8301-27080_3-10396326-245.html). 12 November 2009. [Archived](https://web.archive.org/web/20110426041823/http://news.cnet.com/8301-27080_3-10396326-245.html) from the original on 26 April 2011. Retrieved 27 March 2010.

1. **[^](#cite_ref-31)** [John C. Mitchell](/source/John_C._Mitchell). ["Browser Security Model"](https://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-browser-sec-model.pdf) (PDF). [Archived](https://web.archive.org/web/20150620051731/http://crypto.stanford.edu/cs155old/cs155-spring11/lectures/08-browser-sec-model.pdf) (PDF) from the original on 20 June 2015.

1. **[^](#cite_ref-32)** ["Using the HTML5 Fullscreen API for Phishing Attacks"](https://feross.org/html5-fullscreen-api-attack/). *feross.org*. [Archived](https://web.archive.org/web/20171225134343/https://feross.org/html5-fullscreen-api-attack/) from the original on 25 December 2017. Retrieved 7 May 2018.

1. **[^](#cite_ref-33)** ["Using a Least-Privileged User Account"](https://technet.microsoft.com/en-us/library/cc700846.aspx). [Microsoft](/source/Microsoft). 29 June 2009. [Archived](https://web.archive.org/web/20130306091913/http://technet.microsoft.com/en-us/library/cc700846.aspx) from the original on 6 March 2013. Retrieved 20 April 2013.

1. **[^](#cite_ref-34)** ["How to Stop an ActiveX control from running in Internet Explorer"](http://support.microsoft.com/kb/240797/en-us). [Microsoft](/source/Microsoft). [Archived](https://web.archive.org/web/20141202224151/http://support.microsoft.com/kb/240797/en-us) from the original on 2 December 2014. Retrieved 22 November 2014.

1. **[^](#cite_ref-35)** ["Internet Explorer security zones registry entries for advanced users"](https://support.microsoft.com/kb/182569/en-us). [Microsoft](/source/Microsoft). [Archived](https://web.archive.org/web/20141202224143/https://support.microsoft.com/kb/182569/en-us) from the original on 2 December 2014. Retrieved 22 November 2014.

1. **[^](#cite_ref-36)** ["Out-of-date ActiveX control blocking"](https://technet.microsoft.com/en-us/library/dn761713.aspx). [Microsoft](/source/Microsoft). [Archived](https://web.archive.org/web/20141129121819/http://technet.microsoft.com/en-us/library/dn761713.aspx) from the original on 29 November 2014. Retrieved 22 November 2014.

1. **[^](#cite_ref-37)** ["Internet Explorer Add-on Management and Crash Detection"](https://technet.microsoft.com/en-us/library/cc737458.aspx). [Microsoft](/source/Microsoft). 8 October 2009. [Archived](https://web.archive.org/web/20141129121822/http://technet.microsoft.com/en-us/library/cc737458.aspx) from the original on 29 November 2014. Retrieved 22 November 2014.

1. **[^](#cite_ref-38)** ["How to Manage Internet Explorer Add-ons in Windows XP Service Pack 2"](http://support.microsoft.com/kb/883256/en-us). [Microsoft](/source/Microsoft). [Archived](https://web.archive.org/web/20141202192535/http://support.microsoft.com/kb/883256/en-us) from the original on 2 December 2014. Retrieved 22 November 2014.

1. **[^](#cite_ref-symantec_39-0)** Matthew Conover. ["Analysis of the Windows Vista Security Model"](https://web.archive.org/web/20080516053130/http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf) (PDF). [Symantec Corporation](/source/Symantec_Corporation). Archived from [the original](http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf) (PDF) on 16 May 2008. Retrieved 8 October 2007.

1. **[^](#cite_ref-40)** ["Browser Security: Lessons from Google Chrome"](http://cacm.acm.org/magazines/2009/8/34494-browser-security/fulltext). August 2009. [Archived](https://web.archive.org/web/20131111194250/http://cacm.acm.org/magazines/2009/8/34494-browser-security/fulltext) from the original on 11 November 2013.

1. **[^](#cite_ref-41)** ["Report malicious software (URL) to Google"](https://www.google.com/safebrowsing/report_badware/). [Archived](https://web.archive.org/web/20140912233915/https://www.google.com/safebrowsing/report_badware/) from the original on 12 September 2014.

1. **[^](#cite_ref-42)** ["Google Safe Browsing"](https://www.google.com/transparencyreport/safebrowsing/?hl=en). [Archived](https://web.archive.org/web/20140914200617/http://www.google.com/transparencyreport/safebrowsing/?hl=en) from the original on 14 September 2014.

1. **[^](#cite_ref-43)** ["5 Ways to Secure Your Web Browser"](http://www.zonealarm.com/blog/2014/05/5-ways-to-secure-your-web-browser/). [ZoneAlarm](/source/ZoneAlarm). 8 May 2014. [Archived](https://web.archive.org/web/20140907191153/http://www.zonealarm.com/blog/2014/05/5-ways-to-secure-your-web-browser/) from the original on 7 September 2014.

1. **[^](#cite_ref-44)** ["Adblock Plus Will Soon Block Fewer Ads – SiliconFilter"](http://siliconfilter.com/adblock-plus-will-soon-block-fewer-ads-by-default-allow-non-intrusive-ads/). Siliconfilter.com. 12 December 2011. [Archived](https://web.archive.org/web/20130130044410/http://siliconfilter.com/adblock-plus-will-soon-block-fewer-ads-by-default-allow-non-intrusive-ads/) from the original on 30 January 2013. Retrieved 20 April 2013.

1. **[^](#cite_ref-45)** ["Securing Your Web Browser"](http://www.us-cert.gov/reading_room/securing_browser/). [Archived](https://web.archive.org/web/20100326131333/http://www.us-cert.gov/reading_room/securing_browser/) from the original on 26 March 2010. Retrieved 27 March 2010.

1. ^ [***a***](#cite_ref-Security_46-0) [***b***](#cite_ref-Security_46-1) Sesterhenn, Eric; Wever, Berend-Jan; Orrù, Michele; Vervier, Markus (19 September 2017). ["Browser Security WhitePaper"](https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) (PDF). X41D SEC GmbH. [Archived](https://web.archive.org/web/20220201150016/https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) (PDF) from the original on 1 February 2022. Retrieved 31 August 2018.

1. **[^](#cite_ref-47)** ["Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)"](https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge). [Microsoft](/source/Microsoft). 15 October 2017. [Archived](https://web.archive.org/web/20180901044418/https://docs.microsoft.com/en-us/microsoft-edge/deploy/security-enhancements-microsoft-edge) from the original on 1 September 2018. Retrieved 31 August 2018.

## Further reading

- Sesterhenn, Eric; Wever, Berend-Jan; Orrù, Michele; Vervier, Markus (19 September 2017). ["Browser Security White Paper"](https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf) (PDF). X41D SEC GmbH.

- Heiderich, Mario; Inführ, Alex; Fäßler, Fabian; Krein, Nikolai; Kinugawa, Masato (29 November 2017). ["Cure53 Browser Security White Paper"](https://cure53.de/browser-security-whitepaper.pdf) (PDF). Cure53.

v t e Web browsers Features, standards & protocols Features Bookmarks Extensions Privacy mode Web standards HTML v5 CSS DOM JavaScript WebAssembly Web storage IndexedDB WebGL WebGPU Protocols HTTP Encryption Cookies third-party OCSP WebRTC WebSocket Active Blink-based Proprietary Google Chrome Arc Atlas Avast Cốc Cốc Comet Comodo Ecosia Epic Huawei Maxthon Microsoft Edge Opera (Mobile) Puffin QQ Samsung Silk Sleipnir SRWare UC Vivaldi Whale Yandex FOSS Chromium Brave Dooble Falkon Otter Supermium ungoogled Gecko-based Firefox Floorp GNU IceCat LibreWolf Midori Mullvad SlimBrowser SeaMonkey (uses unnamed Gecko fork) Tor Waterfox Zen Goanna-based Basilisk K-Meleon Pale Moon WebKit-based Safari GNOME Web iCab Orion Multi-engine 360 DuckDuckGo Konqueror Lunascape NetFront qutebrowser Other Dillo eww Flow Ladybird Links Lynx NetSurf Opera Mini w3m Discontinued Blink-based Beaker Citrio Flock Redcore Rockmelt SalamWeb Sputnik Torch Gecko-based Beonex Camino Classilla Conkeror Firefox Lite Galeon Ghostzilla IceDragon Kazehakase Kylo Lotus MicroB Minimo Mozilla suite PirateBrowser Pogo Strata Swiftfox TenFourFox Timberwolf Waterfox Classic xB MSHTML-based Internet Explorer AOL Deepnet GreenBrowser MediaBrowser MSN Explorer MSN Program Viewer NeoPlanet NetCaptor SpaceTime ZAC WebKit-based Arora BOLT Dolphin Fluid Google TV Iris Mercury Nokia Symbian OmniWeb Opera Coast Origyn QtWeb Shiira Steel surf Uzbl WebPositive xombrero Other abaco Amaya Arachne Arena Blazer Cake CM Deepfish Edge Legacy ELinks Gazelle HotJava IBM Home Page Reader IBM WebExplorer IBrowse Internet Explorer for Mac KidZui Line Mode Mosaic MSN TV NetPositive Netscape Skweezer Skyfire ThunderHawk Vision WinWAP WorldWideWeb List Comparison Category

v t e Malware topics Infectious malware Computer virus Computer worm List of computer worms Timeline of computer viruses and worms Concealment Backdoor Clickjacking Man-in-the-browser Man-in-the-middle Rootkit Trojan horse Zombie computer Malware for profit Adware Botnet Crimeware Fleeceware Form grabbing Fraudulent dialer Infostealer Keystroke logging Malbot Pay-per-install Privacy-invasive software Ransomware Rogue security software Scareware Spyware Web threats By operating system Android malware Classic Mac OS viruses iOS malware Linux malware MacOS malware Macro virus Mobile malware Palm OS viruses HyperCard viruses Protection Anti-keylogger Antivirus software Browser security Data loss prevention software Defensive computing Firewall Internet security Intrusion detection system Mobile security Network security Countermeasures Computer and network surveillance Honeypot Operation: Bot Roast

---
Adapted from the Wikipedia article [Browser security](https://en.wikipedia.org/wiki/Browser_security) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Browser_security?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.