As hacker sophistication continues to escalate, the number of avenues available for attacking businesses is climbing as well. With this in mind, why is it that hackers repeatedly choose to come in through the browser?

The answer to this question is actually quite simple: web browsers are fundamentally more vulnerable than other software in ways that are very difficult to address directly.

1. Browser Complexity

After the operating system itself, browsers are probably the biggest and most complex programs around. For example, Firefox is composed of more than 15 million lines of code. This leads to a vast number of bugs and vulnerabilities. In 2014, Internet Explorer patched over 230 serious vulnerabilities while Chrome patched over 415.

2. Plug-in Problem

In addition to the base browser, most users have a number of additional plugins installed. These each add to the complexity of the system, including a whole new set of bugs and vulnerabilities. Further, add-ons can introduce new weaknesses because of the way they interact with the browser or other plugins like Flash, search bars, social media helpers, adware, and even privacy and security tools.

3. Program Exploits

Unlike most programs, browsers are called on to run other programs within themselves. Most browsers need to be able to execute Java, JavaScript, Flash, and HTML5. Each of these in itself is a complete programing language, which could be trying to do an almost unlimited number of nefarious things. It is impossible to actually predict all the possible vulnerabilities these programs might be able to exploit.

Although browsers are perhaps more insecure than other programs, why can’t we address this with the usual arsenal of security tools? The reality is that browsers are also unusually difficult to protect.

4. Firewall Frustration

Firewalls have a hard time protecting the web because the connections are initiated from inside the secure perimeter. As a result, users could be legitimately requesting almost any kind of content from any source in the world. Deciding which of these actions might be dangerous is much harder than keeping attackers from directly accessing protected servers from the outside.

5. Web Downloads

Browsers are expected to download or display a staggering range of content types. While other programs know what to expect and can employ strict filters, browsers must be ready to deal with almost anything. That gives attackers a much greater range of possible vehicles for their attacks.

These five characteristics lead to the browser being the cause of over 90% of undetected breaches for businesses. This huge security hole will persist until we employ entirely new approaches to security. As such, the browser is fundamentally untrustworthy — and we need to treat it that way.