Jul 8

Ben Lorica

Ben Lorica

Please Update Your Browser

A research study released last week measures the proportion of web users running the most updated and secure browsers. With drive-by-downloads increasingly popular with malware distributors, web surfing with an older version of a browser is getting riskier. The study is based on data from Google's search and web application server logs over an 18 month period (Jan-07 to Jun-08), with browser versions lifted from the HTTP USER-AGENT header field found in the server logs.

The researchers assumed that "... most updates and patches for existing Web browser technologies (both the core browsing engine and third-party plug-ins) increasingly incorporate new and vital security fixes": so for the purposes of the study the latest version or update of a browser was considered the "secure" version. The share of users running the latest major release varies over time, with Firefox users much more likely to be using the most secure version:


Overall, 45.2% of Internet users were not using the most secure browsers. The results were on the optimistic side since the researchers were unable check for out-of-date and vulnerable browser plug-ins, nor go back in time and adjust for the many zero-day attacks aimed at browsers.

Firefox's auto-update mechanism resulted in most of its users updating to a new version within three days of a new release. Opera's "manual update & download reminder" approach meant it took about eleven days before most of its users updated to a new release. The researchers found that it took 19 months before 53% of IE users updated to IE7, in contrast, 92% of Firefox users were already using version 2. I agree with their recommendation that the other major browsers follow Mozilla's (auto-update) lead:

While Microsoft’s operating system auto-update functionality encompasses the Internet Explorer update mechanism even if the browser is not in use, the fact that patch updates (for both Internet Explorer 6 and 7) are typically only made available on a monthly basis means that updates are released less frequently (when compared to Firefox), which can result in a lower short term patching effectiveness.

Based upon our findings, we strongly recommend that software vendors embrace auto-update mechanisms within their products that are capable of identifying the availability of new patches and installing security updates as quickly and efficiently as possible - ideally enabled by default and causing minimal disruption to the user. We also recommend that these same auto-update mechanisms are capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available.

They actually go further and envision a "best before" dating system, akin to what the food industry adopted years ago to help consumers evaluate the likelihood of spoilage. I'm not crazy about the analogy (food and Internet browsing safety) but some form of aggressive notification may encourage users to update their browsers quickly.

What I like about this study is that the resulting data-gathering systems should be able to provide regular updates and over time we can monitor how browser users and makers adapt. Other notable comprehensive security studies include Google's automated system for uncovering web-based malware, and RobotGenius' ongoing automated analysis (using multiple commercial scanners and a behavioral AV detector) of every Windows executable available for download. But while good data sources help determine the scope of a problem, in the case of computer security, bridging the cultural divide that exists between web developers and their Black Hat counterparts may prove just as important.

tags: malware, security  | comments: 7   | Sphere It

Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6596

Comments: 7

  Sharlin kaur [07.07.08 10:18 PM]

I was searching for some blog today and in google result it was saying - " malware or spyware can harm your machine" would you like to open. what's that mean actully. Do google check your website for malware or spyweare also or it was because of your updated browser. Kindly suggest.

  Devon Young [07.07.08 11:57 PM]

I like the "best before" idea. Perhaps it would get the users attention even more if it said "Most secure before.."? It probably wouldn't be a great idea... but I'd like to see a browser actually quit functioning when it detects an updated version has been released.... like when Firefox 4 comes out, if Firefox 3.x would just start showing a page that says "This browser version is no longer the most secure one, you need to upgrade now." with a link. Of course, there'd be a preference to disable or alter that, so if you really wanted... you could use it. But by default, it would just stop functioning. I think most people would welcome that, if it's clearly for security purposes. Looking out for the user's benefit, would be good public relations.

  sam [07.08.08 06:21 AM]

This study is very incomplete, and probably only worries about end users at home. In enterprises, it's more risky to auto updated to the latest and greatest, without thorough enterprise testing. In fact, there are often incompatibility issues to work out with the latest patches, etc.

It's a scary and hasty recommendation to ask software vendors to adopt the auto update mechanism. From a user's perspective, users should be in control, not machines controlling human :-) First principle of good user experience design!

  Ben Lorica [07.08.08 12:10 PM]


Good point re: the enterprise. I was thinking along those line while I was typing the post, recalling my days working for a large bank. I think the auto-update/best-before schemes they are proposing are good suggestions ("...ideally enabled by default and causing minimal disruption to the user") for both browser makers and users. Although the proposals have to be adjusted to meet the needs of the enterprise.


  Phil [07.09.08 05:42 PM]

Did the studies attempt to do any fancy forensics/guesswork to glean what percentage of users were running the current version of the OS?

I was surprised to see only 2/3 of Safari users running with the current browser. I presumed that the vast majority of home users would be getting the software updates. Perhaps a number of folk who haven't purchased MacOS 10.5 would explain that low number.

  Ben Lorica [07.09.08 06:06 PM]


The study does not include a breakdown by OS - I'm sure it would have been easy for them to do that, they just chose not to. They did publish the "market share" (as defined by their population of users) for each browser, click here.


Post A Comment:

 (please be patient, comments may take awhile to post)

Type the characters you see in the picture above.