Do you use modern browsers and keep them updated?
Demonstrate that all browsers deployed across workstations, mobile devices, and servers are current-generation versions receiving active security updates, and that automated update mechanisms or compensating deployment controls are enforced organization-wide.
Description
What this control does
This control requires that all web browsers used within the organization meet minimum version requirements aligned with vendor support lifecycles and that automated or policy-driven update mechanisms are enforced. Modern browsers include current-generation releases of Chrome, Edge, Firefox, Safari, or equivalent with active security patch support. The control ensures that users cannot operate browsers with known vulnerabilities that expose sessions, credentials, or organizational data to exploitation through web-based attack vectors.
Control objective
What auditing this proves
Demonstrate that all browsers deployed across workstations, mobile devices, and servers are current-generation versions receiving active security updates, and that automated update mechanisms or compensating deployment controls are enforced organization-wide.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed browser vulnerabilities (CVEs) enabling remote code execution or sandbox escape
- Man-in-the-middle attacks exploiting weak TLS/SSL cipher suites or protocol flaws present in outdated browser versions
- Cross-site scripting (XSS) or cross-site request forgery (CSRF) attacks leveraging unpatched browser rendering engines
- Credential theft through phishing sites that exploit browser security warnings absent in legacy versions
- Drive-by download attacks delivering malware via compromised or malicious websites targeting known browser flaws
- Data exfiltration through insecure handling of cookies, local storage, or same-origin policy bypasses in outdated browsers
- Compliance violations due to use of unsupported software lacking vendor security maintenance commitments
Testing procedure
How an auditor verifies this control
- Obtain the organization's approved browser list and minimum version requirements from the endpoint management or security policy documentation
- Review endpoint management console (e.g., Intune, JAMF, SCCM, Workspace ONE) to identify all installed browser applications and their versions across a representative sample of workstations and mobile devices
- Query endpoint detection and response (EDR) or asset inventory systems for comprehensive browser version distribution across all managed endpoints
- Select a stratified random sample of at least 25 endpoints spanning different operating systems, organizational units, and user privilege levels for direct inspection
- Remotely connect to sampled endpoints or review agent-reported data to verify installed browser versions match policy requirements and are within vendor-supported lifecycles
- Review Group Policy Objects (GPO), mobile device management (MDM) profiles, or configuration management scripts to confirm automatic update policies are enabled and cannot be disabled by end users
- Interview IT operations staff to confirm update deployment cadence, emergency patching procedures for critical browser vulnerabilities, and exception handling processes
- Test one endpoint by attempting to disable automatic updates or install an outdated browser version to validate technical enforcement controls