View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 5, 2011

Sophos warns of HTML5 security risk

The browser itself will become a target, not just a way into the PC, James Lyne says

By Steve Evans

HTML5, the incoming web language, will present a huge target for cybercriminals, security firm Sophos has warned.

Its predecessor, HTML4, has dominated websites for years but is a relatively basic language, said James Lyne, senior technology strategist at Sophos, at an event in London. Because of this developers have introduced many add-ons and plug-ins, such as Flash, Google Gears and JavaScript.

However as Lyne points out many of these can remain unpatched, making the whole system very insecure. HTML5 removes the need for many of these add-ons and plug-ins because its advanced nature means similar capabilities are built in.

While this many sound more secure, Lyne said that this will make HTML5 a big target for cybercriminals because it means huge amounts of data will be stored within the browser itself.

"HTML5 is potentially going to be very painful," Lyne said. "The way it works is much like the idea of a thin client and cloud computing. But this means lots of data will be stored in the browser, which will become the target. Traditionally the browser has been used as a way of getting into the PC, now cybercriminals will be targeting the browser itself to get at the data."

HTML5 is rapidly being adopted across the web, particularly for mobile sites. Adobe recently announced that it would no longer invest resources in developing Flash for mobile devices, insisting that HTML5 will offer the best alternative as it will be universally supported. Apple never allowed the use of Flash on its iPhone or iPad devices, severely hampering its adoption.

Sophos’ Lyne also warned that cyber attacks on national infrastructure, such as nuclear and power stations, would increase in 2012, despite labelling the attacks seen in 2011 as "massively over-hyped."

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Lyne name-checked the Stuxnet and Duqu worms as examples of threats that could target national infrastructure. But he also claimed they had both been over-hyped, as they were examples of simple malware that exploited common vulnerabilities. They also had little impact, he said.

Lyne added that the potential impact on a successful cyber attack being launched against a country’s national infrastructure was, "serious" and that, "we will see more over the next year because control systems have not grown as IT security has over the last 20 years, so there are security holes."

Lyne added however that the lack of a financial reward for this sort of attack – compared to stealing IP or credit card information – means only a limited number of cybercriminals will focus on this area.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.