In view of mass defacements of hundreds of thousand of web pages - with the intent to misuse them to launch drive-by download attacks - security researchers from ETH Zurich, Google, and IBM Internet Security Systems were interested in looking at the other side of the attack: the web browser. By analyzing the web browser versions seen in visits to Google websites, they have shown that more than 600 million Internet users don't use the latest version of their browser.
Slow migration to latest browser version
The researchers' paper, entitled "Understanding the Web Browser Threat", shows that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser's "built-in" vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.
Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox users were using the latest major version of the web browser and also had all current patches installed (i.e. latest minor version). Only 56.1% and 47.6% of Opera and Internet Explorer users, respectively, were similarly utilizing fully-patched web browsers. Apple users are no better: since the public release of Safari 3, only 65.3% of users operate the latest Safari version.
Maximum measured share of users surfing the web with the most secure versions of Firefox, Safari, Opera and Internet Explorer in June 2008 as seen on Google websites.
Obsolete browser warning
The study's most important finding is that technical measures now in place do not sufficiently guarantee browser security, and that users' security awareness must be further developed. The problem is that most users are unaware that they are not using their browser's latest version. It must be made clear to web browser users that outdated software is associated with significantly higher risk. The researchers therefore suggest that, as a critical component of web software, a visible warning be instituted that warns the user of missing security patches in a way analogous to the 'best before' date in the perishable food industry. Software updates must also be made easier to find. The resulting transparency would go far in contributing to end user awareness of software weaknesses, and allow users to better evaluate risks.
Example "best before" implementation on a Web browser
As a side effect, having users migrate faster to the latest browser version would not only increase security but also make the lives of webmasters easier, as they would need to test and optimize websites for fewer older versions of web browsers.
That's all fine and dandy, but here in the good ol' US of A well more than 50% of the country still has no access to broadband, and the broadband services they CAN use (like Hughes) actually have policies in place that make patching a machine that's been offline more than a few months (or has never had patches applied) near impossible.
ReplyDeleteIt's simply absolute folly to rely on security on the users' end. As hosts, webmasters and industry professionals, we simply have to prevent them from accessing dangerous content (like through DNS filters), or by being far more aggressive in filtering user-supplied content to our sites, thus preventing that avenue of attack.
It's also disingenuous to claim that IE7 or FF3 are the 'most current' versions. Quite a few of my local clients are still using Windows 2000, Windows 98, and OSX 10.2 - which do not support 'current' versions of IE or Firefox.
ReplyDeleteNice Post.
ReplyDeleteNeglected security patchesOver the past 18 months, the study also shows, a maximum of 83
ReplyDelete@shawn k. hall:
ReplyDeleteFF3 will work with Windows 2000. They have abandoned support for Windows 98, though.
Shawn: I'm using Firefox 3 on Windows 2000.
ReplyDeleteI disagree with the conclusion, though. The best thing that Microsoft could do to get people to update Internet Explorer would be to give people the option of EASILY rolling back the dubious Vista-style user interface "improvements" in IE7.
Because IE7 is the biggest roadblock to people who are happy with IE6.
I have purposely avoided upgrading to IE7 because of the horrible user interface 'improvements'.
ReplyDeleteFirefox 3 is amazing, but we have compatibility problems with old web-based user manuals that were written for IE. (Updating the documentation would take far, far longer than simply not updating the browser.)
I sure hope in IE8 they give us more interface customization options (like a freakin' FORWARD button! And a 'stop' button you can put next to the other navigation buttons so that you don't have to scroll all the way across my 21" widescreen to push!)
Jeremy Gordon said: "Firefox 3 is amazing, but we have compatibility problems with old web-based user manuals that were written for IE. (Updating the documentation would take far, far longer than simply not updating the browser.)"
ReplyDeleteThe solution is simple: Use Firefox 3 to browse everything else, and use IE solely to read the user manuals while they are being fixed.
I think you're not considering ALL costs. If your browser is exploited, then there's a big cost in the data loss and system recovery, including the time to do it.
Obviously, the real error was in allowing someone to develop files that were tied to a particular browser, but instead of perpetuating the error, it's time to get that fixed.
It's probably worth noting w.r.t. Safari that users of relatively recent versions of OS X cannot upgrade to the latest version. Panther (replaced April 29, 2005) users are limited to Safari 1.3 and Firefox 2.
ReplyDeleteSimilarly, Win9x users are limited to Firefox 2 and IE 6, but it's been a bit longer since this was the current version of Windows.
Jeremy Gordon said: "Firefox 3 is amazing, but we have compatibility problems with old web-based user manuals that were written for IE. (Updating the documentation would take far, far longer than simply not updating the browser.)"
ReplyDeleteInstall the IE Tab add-on to Firefox. It displays the pages using IE inside of a Firefox Tab. Really saves the hassle of switching to IE when you run into a page that requires IE to view it.
The reason I have stopped updating Firefox every time an update is available is simple. My add on application extensions get broken (or so forefox says and disables them) nearly every time and I have to wait up to a month to get them back.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteusing Opera now
ReplyDeleteIt's Zürich >.> . We take pride in our Umlaut.
ReplyDeleteSo, Google Security Team, if this "best before" warning is such a nice idea (and I think it might be), there's nothing stopping you from implementing it in the corner of the google home page (preferably as optimized for speed as possible). Try it with some of that split A/B testing Marissa Mayer is always talking about.
ReplyDeleteIn response to the post that said "IE7's interface" is the biggest "Roadblock"; I beg to differ. I think your unwillingness to learn the slightest alterations in new technologies is the only road block sir. And if you are that unwilling to learn such a simple technology, then maybe you should try fishing.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteChris- you have that backwards. It is the burden of the programmer/publisher to give a compelling reason to upgrade. Interface changes that aren't a clear improvement are a clear detriment, precisely because any user interface change hurts usability.
ReplyDeleteIf Microsoft, or Google, or anyone, wants me to accept a major UI change, then it had best be because once learned, the UI works *better* then before. Because otherwise, it means me ( and other users ) have to swallow relearning the UI. . . for no good reason at all.
ACTUALLY I THINK ITS A VERY GOOD IDEA ESPECIALLY FOR SOMEONE THAT DOES NOT SURF AND USE THE INTERNET ON A DAILY BASIS.SO WHEN U ACTUALLY DO LOGON THROUGH YR PREFERRED BROWSER YOU R IMMEDIATELY MADE AWARE OF ANY CHANGES.BUT!!!! AS LONG AS THE PROPOSED UPDATE DOES ACTUALLY WORK AND NOT CAUSE YR BROWSER TO KEEP ON CRASHING!!!!!!
ReplyDeleteCompletely agree with the suggestion of letting users know of the current exact status of the browser in an understandable way (no heavy IT Jargons) that will compel users to take a little extra time in updating their browser by downloading a patch or a complete latest version.
ReplyDeleteOne of the reasons why many users do not easily take to upgrade is non-availability of assurance in quality. If one upgrades and finds that in the process of closing a recent security threat, another security hole which existed long back has been opened, its a loss.
If only there was a assurance marked against every patch or a new version, cleanly and clearly for everyone to see, with some end-users experiences clubbed, then that might add to the quality of service as well as overall improvement of experience of users on web
Maybe google could help simply issuing an warning at the top of its search page (like those yellow background lines saying "You are not using the latest version of your browser") and alike.
ReplyDeleteYes, ^^ Firefox is the best browser thus far. I recently had poll on my blog concerning this: http://eternalblackzero.blogspot.com/2008/11/poll-of-day-2-results.html
ReplyDeleteMy analytic report also shows that my blog visitors are using FF as well, and IE in second place. IE still exists because it comes bundled with Windows.... -.- But maybe it will remain in the 2nd place forever, though.
@Shawn: What is the point of a secure browser on an insecure operating system? Obviously in the cases you state, the client needs to update both. Also, what bearing does the portability of a browser have to do with it's age. By this logic there are OS9 systems that need an IE update...
ReplyDeleteGoogle - please warn IE5/6 users to upgrade their browser!
ReplyDelete