In this article:
Severity: High
Factor: Endpoint security
Why this matters
At least one endpoint was found to be using an outdated and potentially vulnerable web browser. Insecure browsers may be vulnerable to several types of client-side attacks, such as cross-site scripting (XSS), which can lead to compromise of the user's browser and entire endpoint through the unauthorized execution of remote code.
We consider a browser out of date if has not been updated to the latest version, which has been available for 90 to 120 days.
How we discovered it
We capture user agent strings from commercially available advertising technology data and correlate them with IP addresses in the Digital Footprints.
In terms of outdated web browser version identification, the user agent string is data provided by client web browser requests. It represents various details about the operating system, web browser type, and web browser version number.
How you can remediate it
Review the the findings that appear on the details page for the issue type. Use this information to investigate and address each discovered instance of the issue.
Note: The Evidence column shows the browser’s country location, and visited URL, if that information is available. We will also show the client IP if the proxy server’s X-FORWARDED-FOR headers are enabled. This information is only visible to SecurityScorecard administrators for the organization that owns the Scorecard.
Take the following actions to remediate this issue.
Keep browsers and related settings up to date
In general, upgrade all browsers to the latest stable build for your platform operating system. Enable auto-update if your browser provides it. Also, manually validate browser security settings, and ensure configurations are set to not allow unknown or unauthorized Javascript from running.
View current browser versions, according to Wikipedia:
See Scoring Update Release Notes for exact dates related to browser detection.
Separate your outbound NAT
Any number of outdated browser findings may be related to guest devices on your wireless network. To have these removed from your Scorecard issues, deploy a separate guest NAT IP address.
FAQs
Q: How long does the customer have to patch when a new browser / OS version comes out? Our KB article says 90 - 120 days, what determines the exact time frame?
A: We have a 3 month window for browser versions. Essentially the day we update the current browser data we look back 3 months to determine what the version was at that time. The variance comes from human delays on doing the update. The update happens monthly, usually in the 3rd week of the month.
Q: Google comes out with minor releases very frequently for Chrome, does the countdown begin each time a new one is out? Or are we only tracking major releases? What source is giving us the "latest version" ?
A: It doesn’t matter how many releases occur, it’s just a 3 month look back from the date of the update to the current. Each release doesn’t start a new timer. We only check against the major portion of the version since chrome changed the user agent response to only pass major version unless the website requests the full version
How you can resolve it in SecurityScorecard
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Outdated Browsers Detected findings:
I have fixed this
- All browsers are updated to the latest released version.
- All browsers have been patched to the latest released version.
- All systems have been re-imaged and updated with the latest browsers.
I have a compensating control
- We have a third party that auto-patches our browsers to the latest version.
- The browsers detected originated from a guest wireless network.
Note: The following practices are not compensating controls: 1) Having employees' personal devices connect to a corporate virtual private network (VPN ) is a significant security risk. Learn How to secure BYOD devices. 2) Using outdated browsers in a testing network unless they are segmented away from the rest of your production infrastructure.
This is not my IP or domain
- The IP does not belong to our company.
- These browsers originate from a different organization.
I cannot reproduce this issue, and I think it is incorrect
- All browsers are auto-patched as soon as updates are available. The listed browsers are on the latest version possible.