Browse > Article
http://dx.doi.org/10.9717/kmms.2015.18.2.199

Assessing Web Browser Security Vulnerabilities with respect to CVSS  

Joh, HyunChul (Dept. of Computer Eng., College of IT Convergence, Kyungil University)
Publication Information
Journal of Korea Multimedia Society / v.18, no.2, 2015 , pp. 199-206 More about this Journal
Abstract
Since security vulnerabilities newly discovered in a popular Web browser immediately put a number of users at risk, urgent attention from developers is required to address those vulnerabilities. Analysis of characteristics in the Web browser vulnerabilities can be used to assess security risks and to determine the resources needed to develop patches quickly to handle vulnerabilities discovered. So far, being a new research area, the quantitative aspects of the Web browser vulnerabilities and risk assessments have not been fully investigated. However, due to the importance of Web browser software systems, further detailed studies are required related to the Web browser risk assessment, using rigorous analysis of actual data which can assist decision makers to maximize the returns on their security related efforts. In this paper, quantitative software vulnerability analysis has been presented for major Web browsers with respect to the Common Vulnerability Scoring System. Further, vulnerability discovery trends in the Web browsers are also investigated. The results show that, almost all the time, vulnerabilities are compromised from remote networks with no authentication required systems. It is also found that a vulnerability discovery model which was originally introduced for operating systems is also applicable to the Web browsers.
Keywords
Software Security Vulnerability; Web Browser; CVSS; VDM; AML;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 O.H. Alhazmi, Y.K. Malaiya, and I. Ray, “Security Vulnerabilities in Software Systems: A Quantitative Perspective,” Proceeding of IFIP WG11.3 Working Conference on Data and Information Security, pp. 281-294, 2005.
2 M. Rajab, L. Ballard, N. Jagpal, P. Mavrommatis, D. Nojiri, N. Provos, et al., Trends in Circumventing Web-malware Detection, Technical Report, 2011.
3 C.P. Pfleeger and S.L. Pfleeger, Security in Computing, Prentice Hall PTR, New Jersey, 2003.
4 O.H. Alhazmi and Y.K. Malaiya, “Application of Vulnerability Discovery Models to Major Operating Systems,” IEEE Transactions on Reliability, Vol. 57, No. 1, pp. 14-22, 2008.   DOI
5 H. Joh, “Web Browser Secureness with Respect to CVSS,” Proceeding of the 2014 Fall Conference of the Korea Information Processing Society, Vol. 21, No. 2, pp. 464-465, 2014.
6 S. Frei, T. Duebendorfer, G. Ollmann, and M. May, Understanding the Web Browser Threat: Examination of Vulnerable Online Web Browser Populations and the “Insecurity Iceberg”, ETH Z urich Tech Report Nr. 288, 2008.
7 O.H. Alhazmi and Y.K. Malaiya, “Prediction Capabilities of Vulnerability Discovery Models,” Proceeding of Reliability and Maintainability Symposium, pp. 86-91, 2006.
8 H. Joh and Y.K. Malaiya, “Modeling Skewness in Vulnerability Discovery,” Quality and Reliability Engineering International, Vol. 30, No. 8, pp. 1445-1459, 2014.   DOI
9 P. Mell, K. Scarfone, and S. Romanosky, CVSS: A complete Guide to the Common Vulnerability Scoring System Version 2.0, Forum of Incident Response and Security Teams, 2007.
10 S.G. Eick, T.L. Graves, A.F. Karr, J. Marron, and A. Mockus, “Does Code Decay? Assessing the Evidence from Change Management Data,” IEEE Transactions on Software Engineering, Vol. 27, No. 1, pp. 1-12, 2001.   DOI
11 M. Acer and C. Jackson, “Critical Vulnerability in Browser Security Metrics,” Proceeding of Web 2.0 Security and Privacy, IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2010.
12 A. Grosskurth and M. Godfrey, “A Reference Architecture for Web Browsers," Proceeding of the 2005 International Conference on Software Maintenance, Budapest, Hungary, pp. 661-664, Sep. 2005.
13 K. Scarfone and P. Mell, “An Analysis of CVSS Version 2 Vulnerability Scoring,” Proceeding of 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516-525, 2009.
14 I. Mun and S. Oh, “Design and Implementation of A Weakness Analyzer for Mobile Applications,” Journal of Korea Multimedia Society, Vol. 14, No. 10, pp. 1335-1347, 2011.   DOI   ScienceOn
15 T. Duebendorfer and S. Frei, “Web Browser Security Update Effectiveness,” Proceeding of the 4th International Conference on Critical Information Infrastructures Security, pp. 124-137, 2010.
16 G. Schryen, “Is Open Source Security a Myth? What do Vulnerability and Patch Data Say?,” Communications of the Association for Computing Machinery, Vol. 54, No. 5, pp. 130-140, 2011.   DOI
17 F. Akiyama, “An Example of Software System Debugging,” Proceeding of International Federation for Information Processing Congress, pp. 353-379, 1971.
18 B.T. Compton and C. Withrow, “Prediction and Control of ADA Software Defects,” Journal of Systems and Software, Vol. 12, No. 3, pp. 199-207, 1990.   DOI
19 L. Hatton, “Reexamining the Fault Density Component Size Connection,” IEEE Software, Vol. 14, No. 2, pp. 89-97, 1997.   DOI
20 J. Rosenberg, “Some Misconceptions About Lines of Code,” Proceeding of the 4th IEEE International Software Metrics Symposium, pp. 137-142, 1997.