14 DAY TRIAL // Google, IBM and The Swiss Federal Institute of Technology do not take this lightly, unlike hundreds of millions of users out there. According to a study conducted by five researchers from the above mentioned companies, only 59% of PC users take the time to update and patch their browser. The remaining some 40% or about 637 million websurfers, go online using an outdated, vulnerable browser. Last year, the greater part of all IT vulnerabilities was made up of remote exploits (89.4% to be exact) and the recent trend amongst attackers is to target vulnerabilities within web browsers. It makes sense since so many people fail to take the necessary safety precautions.
The study was published yesterday, the 1st of July 2008, and it was conducted by Stefan Frei, Thomas D?bendorfer, Gunter Ollmann and Martin May. The researchers came to this conclusion after analyzing user information from Google's database. All this information, which is not the sensible, confidential kind, was gathered for a period of about one and a half years (from January 2007 until June 2008). The company trio looked at when a patch was released and when it was downloaded and installed by the user. Several browsers were analyzed (Internet Explorer, Firefox, Safari, Opera, etc.) and the data was compiled according to the browser.
The study had nothing to do with market share, its main focus being that of finding out how many security-oriented browser users there are and how often they update and patch their software. This is what the researchers had to say: "The absolute worldwide user counts were derived from the global Internet user count of 1,408 billion users. Keep in mind that IE6, Opera 8 and Firefox 3 were not included in the study."
How do the browsers stack up?
Microsoft's IE7, released in late October 2006 in order to replace IE6, makes up for the better half of the market share. It is the most widely spread browser, but come to think of it, it has also been on the market the longest, considerably longer than the other browsers in the study. Just slightly more than half of all the people out there using Microsoft's Internet Explorer are actually using IE7 and out of all of them only 47.6% update frequently.
According to the study, out of all Internet Explorer users, 52.4% use IE7 while the remaining 47.6% use IE6. US-Cert (short of US Computer Emergency Response Team) has recently announced that it found a new security vulnerability within IE6. The browser does not handle cross-site scripting attacks well, leaving the user open to attack. An attacker could get away with stealing your cookies and other security credentials without you even noticing it. The US-Cert and Microsoft have announced that the only way to stay protected is to upgrade to IE7 or to switch to another browser, just stop using an outdated, vulnerable one. Still, it seems that almost half of Internet Explorer users continue to surf the web with IE6.
Firefox and Opera users seem to be more security oriented as well over 90% of them use Firefox 2 and Opera 9. Keep in mind that the study did not take into consideration the recently released Firefox 3. Out of all Firefox users, 83.3% update frequently, while Opera has a lower percentage, of 56.1%. This comes as no surprise to anyone as it is a well known fact that most Firefox and Opera users are more technology oriented. Not to mention that updating and patching is incredibly simple in Mozilla Firefox; the browser informs you a new patch or update is available and all you have to do is click in a confirmation box.
Safari users show a high interest in browser security as well, as slightly over 70% of them are using Safari 3 and 65.3% update on a regular basis. This browser is automatically set to look for updates every second Tuesday of each month. If a security flaw is discovered and a patch is issued by the software company, then it is important that the user update manually. The browser will eventually do this automatically, but the user is left open to attacks until it does.
Plug-ins and add-ons put you at risk
According to the study, PC users usually have about 6 to 10 plug-ins. If any of those plug-ins have vulnerabilities, then your system is at risk. It doesn't matter whether you upgrade and patch frequently or do not do this at all.
Stefan Frei uses an analogy to better explain this: "The browser is the bread, and even if the bread is fine, if the ham is rotten, you have a problem."
Currently applied solutions
The researchers believe that the update feature included by the Mozilla team in the Firefox browser may be the reason why it fairs the best, compared to similar applications: "Firefox's auto-update was found to be way more effective than Opera's manual update download reminder strategy." It is so efficient that it should be featured in all browsers, say the researchers.
What about the corporate world? The study suggests that the company set up strong filters that will prevent any employee from accessing malware infested sites. "If a Web site or particular URL is known to be malicious, it is a trivial process to prevent Web browser users navigating to the site and accessing the malicious content. However, a limitation of this protection is the extent of the URL database. If a malicious URL is not listed within the filtering database, no filtering protection is typically applied," say the researchers.
Conclusion
Researchers from the three companies (IBM, Google and the Swiss Federal Institute of Technology) think the labeling process currently used in the food industry should be adopted by the software industry as well. When a browser is put on the market, it should have a warning label similar to the "best before" ones. This way, even the least security oriented websurfer will know that it is important to update and patch often. The thing is that sometimes it takes months until a patch is downloaded, if at all, even though the software manufacturer has issued that patch immediately after a vulnerability was discovered.
By far the most efficient method is to include an auto update feature in the browser. Even if the user can't be bothered about getting the latest patch or update, the browser is and will do it on its own.