"A browser" – that’s all we were led tobelieve the next generation would need to create office applications orengineering applications. Now, the focus on security has begun todivert in that direction. Statistics from the first half of 2006 showedthat 69 percent of exploitable vulnerabilities were from Webapplications. Web application vulnerabilities usually get mixed up withserver vulnerabilities, although the two are distinctly different. Webdevelopers who design Web sites are not usually security gurus. Thedevelopers will often leave behind various security holes in the Webapplication because of bad coding practices and a lack of securityreviews.
On one hand, there are many security experts around the world whofuzz Web servers with variations in order find another zero-day. Theend result is that the gap between popular Web servers and exploitablevulnerabilities within them is increasing. It has been a long timesince we have seen a completely exploitable security breach for adefault/patched installation of IIS. It doesn't mean that there won'tbe such vulnerabilities in future. There will be, but the frequency hasbeen greatly reduced, for now.
However, on the other hand, how many of us concentrate on fuzzing aWeb application? The server running the application would essentiallybe the same, but the Web application running on top of it could beanything. Ajax, as a technology, seems to be taking the Internet in anew direction. It is now a fact that browsers on our mobile phones arecapable of showing us movies, writing office documents, creatingapplications, or anything that previously only an operating systemcould perform. In other words, browsers could take over operatingsystems. Unfortunately, this new technology could also lead to newtypes of threats that are focused on browsers and Web applications. Or,is it safe to say that the focus has already started to divert?