Why do browsers have so many possible exploits?

Complexity, complexity, complexity.

A modern browser supports

  • Retrieving data over multiple protocols (http, https, ftp, ...)
  • Rendering multiple different markup languages (plain html (in several versions), xhtml, html with css ...)
  • Storing data and retrieving data at the request of remote users (cookies)
  • Two (or more!) Turing complete programing environments to run code supplied from the outside (javascript, java, maybe flash ...)
  • Some kind of internal options database
  • (stolen from broam's insightful answer, so go vote for it) support a plug-in architecture that allows third party code access to the browser internals

and is expected to be fast, have clever caching to make it faster, and to have an expressive and powerful interface.

There is a heck of lot going there, and they are big, complex pieces of software.


One vector that people haven't mentioned: plugins. The browser may be secure, but the plugin might have wide holes in it...and with ubiquitous plugins like Flash...exploits ahoy matey.


Partially it is the fact that some updates are rolled out faster then they should be. But one prevailing fact is a blog post Jeff posted awhile back here when ran as admin anything can happen. Also since each computer is different running different things it isn't always the browser itself that has an exploit. Sometimes it is a third party plugin like Flash.


Part of the problem is that the performance of browsers (like word processors and CAD programs) is highly dependent on the data, and as there can be (pretty much) an infinite variety of data there's no way that the developers can test every single combination to see if it gives undesirable results.

Another aspect is that to get the interactivity that users and (more importantly) web site owners want the browsers have to execute code. This is another weak point.


Many answers here, all touching on different reasons, but the fundamental answer is "because that's where the money's at."

Lots of other software probably has similar or more numbers of bugs, but they're not usually exploitable since you need to convince a user to expose them to the wild internet.