In this article:
Factor: Endpoint security
Factor weight: High
Why this matters
At least one endpoint was found to be using an outdated and potentially vulnerable web browser. Insecure browsers may be vulnerable to several types of client-side attacks, such as cross-site scripting (XSS), which can lead to compromise of the user's browser and entire endpoint through the unauthorized execution of remote code.
We consider a browser out of date if has not been updated to the latest version, which has been available for 90 to 120 days.
How we discovered it
We capture user agent strings from commercially available advertising technology data and correlate them with IP addresses in the Digital Footprints.
In terms of outdated web browser version identification, the user agent string is data provided by client web browser requests. It represents various details about the operating system, web browser type, and web browser version number.
How you can remediate it
Review the the findings that appear on the details page for the issue type. Use this information to investigate and address each discovered instance of the issue.
Note: The Evidence column shows the browser's country location and visited URL as displayed in the browser's X-Forwarded-For header requests, if that information is available. This information is only visible to SecurityScorecard administrators for the organization that owns the Scorecard.
Take the following actions to remediate this issue.
Keep browsers and related settings up to date
View current browser versions, according to Wikipedia:
See Scoring Update Release Notes for exact dates related to browser detection.
Add a unique identifier to your agent string
If you have a centralized browser update and management practice in place, such as for Google Chrome, insert a unique identifier into your web browsers' User Agent strings. Assign this identifier to every browser and device that you manage, and then track it. Using Chrome as an example, you can then:
- Find out who in your organization is running a managed Chrome instance. where the update patches are not being applied successfully.
- Deny responsibility or support for our findings that flag browsers that do not include that string.
The string has the following structure:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36 your-company.com/258jpEvzgelQs
Separate your outbound NAT
Any number of outdated browser findings may be related to guest devices on your wireless network. To have these removed from your Scorecard issues, deploy a separate guest NAT IP address.
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Outdated Browsers Detected findings:
I have fixed this
- All browsers are updated to the latest released version.
- All browsers have been patched to the latest released version.
- All systems have been re-imaged and updated with the latest browsers.
I have a compensating control
- We have a third party that auto-patches our browsers to the latest version.
- The browsers detected originated from a guest wireless network.
Note: The following practices are not compensating controls: 1) Having employees' personal devices connect to a corporate virtual private network (VPN ) is a significant security risk. Learn How to secure BYOD devices. 2) Using outdated browsers in a testing network unless they are segmented away from the rest of your production infrastructure.
This is not my IP or domain
- The IP does not belong to our company.
- These browsers originate from a different organization.
I cannot reproduce this issue, and I think it is incorrect
- All browsers are auto-patched as soon as updates are available. The listed browsers are on the latest version possible.