A research study released last week measures the proportion of web users running the most updated and secure browsers. With drive-by-downloads increasingly popular with malware distributors, web surfing with an older version of a browser is getting riskier. The study is based on data from Google’s search and web application server logs over an 18 month period (Jan-07 to Jun-08), with browser versions lifted from the HTTP USER-AGENT header field found in the server logs.
The researchers assumed that “… most updates and patches for existing Web browser technologies (both the core browsing engine and third-party plug-ins) increasingly incorporate new and vital security fixes“: so for the purposes of the study the latest version or update of a browser was considered the “secure” version. The share of users running the latest major release varies over time, with Firefox users much more likely to be using the most secure version:
Overall, 45.2% of Internet users were not using the most secure browsers. The results were on the optimistic side since the researchers were unable check for out-of-date and vulnerable browser plug-ins, nor go back in time and adjust for the many zero-day attacks aimed at browsers.
Firefox’s auto-update mechanism resulted in most of its users updating to a new version within three days of a new release. Opera’s “manual update & download reminder” approach meant it took about eleven days before most of its users updated to a new release. The researchers found that it took 19 months before 53% of IE users updated to IE7, in contrast, 92% of Firefox users were already using version 2. I agree with their recommendation that the other major browsers follow Mozilla’s (auto-update) lead:
While Microsoft’s operating system auto-update functionality encompasses the Internet Explorer update mechanism even if the browser is not in use, the fact that patch updates (for both Internet Explorer 6 and 7) are typically only made available on a monthly basis means that updates are released less frequently (when compared to Firefox), which can result in a lower short term patching effectiveness.
Based upon our findings, we strongly recommend that software vendors embrace auto-update mechanisms within their products that are capable of identifying the availability of new patches and installing security updates as quickly and efficiently as possible – ideally enabled by default and causing minimal disruption to the user. We also recommend that these same auto-update mechanisms are capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available.
They actually go further and envision a “best before” dating system, akin to what the food industry adopted years ago to help consumers evaluate the likelihood of spoilage. I’m not crazy about the analogy (food and Internet browsing safety) but some form of aggressive notification may encourage users to update their browsers quickly.
What I like about this study is that the resulting data-gathering systems should be able to provide regular updates and over time we can monitor how browser users and makers adapt. Other notable comprehensive security studies include Google’s automated system for uncovering web-based malware, and RobotGenius’ ongoing automated analysis (using multiple commercial scanners and a behavioral AV detector) of every Windows executable available for download. But while good data sources help determine the scope of a problem, in the case of computer security, bridging the cultural divide that exists between web developers and their Black Hat counterparts may prove just as important.