Besides stealing browser history and scanning other systems on a machine, these attacks have been shown to support Java-based TCP stacks that can set up VPN endpoints in the browser of a compromised machine. A VPN tunnel to such an endpoint would give an attacker access to a machine behind the corporate firewall, where it could connect to other systems inside the firewall, Skoudis says.

Similarly, such infiltrated browsers could infect systems that are then checked via browser by a network administrator, compromising the administrative machine and the entire network, he says.

The best defense is keeping virus software up to date, employing intrusion-protection gear and educating users about the problem.

7. Mobile phone browser exploits

Vulnerabilities found in certain mobile phones can be exploited to surrender control of the devices to attackers. When users connect to malicious content within Web sites visited by their browsers, the content can take over the machine so it responds to commands from a remote attacker, says Rohit Dhamankar, the chief security analyst at Tipping Point.

8. Lost mobile devices

Proliferation of handhelds and smartphones in corporate environments mean more data will be lost or stolen along with the physical machine that holds it.

Countermeasures include encrypting data on the devices and installing software that can lock or wipe out the hard drive remotely to prevent thieves from accessing the data.

9. Insecure Web applications

Applications whose coding leaves them vulnerable to custom attacks pose a threat not only to the application and the content it can access, but to the network as well, says Nick Selby, an analyst with The 451 Group.

Applications are being developed with secure coding in mind, but many legacy corporate applications were designed for closed networks, Selby says. These include such basic applications as the control software used in manufacturing and utility networks as well as highly customized applications designed for individual businesses.