Which browser versions are considered too insecure?

Question

we're trying to analyze some attack vectors on one of our MVC apps and we are considering writing some code to prevent users from accessing our site using a browser[version] that we consider to be too insecure.

For example, anything less than IE 7 is getting banned from our site.

Any browser [+version] that doesn't implement the HttpOnly cookie or has serious known holes/scripting issues would be on our watch list.

Without the obvious sarcastic comments about all versions of IE being totally insecure(!), which browsers and/or versions would you consider to be risky? IE tends to get all the bad press, but what about version 1 of Chrome or version 3 of Safari, etc.?

Answer 1

Honestly I still think most unsecure browser is IE. There is a lot of crashes and a lot of code execution bugs for IE. In last days of 2012, bluehole 0-day bug discovered being exploited in wild. But I don't remember last bug I've seen which successfully executes shellcode in Windows 7 with DEP and ASLR enabled. Those days almost passed for Firefox and Chrome. Specially chrome sandbox is really secure. I've seen only Vupen found a 0-day vulerability which executed code in Chrome like 1 year ago.

You can see list of vulnerabilities per year, per product and you'll see classification of bugs also. http://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452

Change product to Chrome, Internet Explorer and Safari.

Also IE is really vulnerable by third-party plugins, you can achieve code-execution easier on IE.

If you have more specific question, please ask.