Security researchers have suggested that like food, browsers should have a best-before or expiry date. This comes after revealing that 637 million internet users are surfing with outdated and unpatched browsers, which puts them at risk from web-based attacks.
Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analysed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
The authors found that roughly 40 per cent of users had insecure versions of their Web browser. Among the least compliant were users of Internet Explorer, which currently dominates the market.
The data was collected in mid-June 2008. The users were scattered among 78 per cent Internet Explorer users, 16 per cent Firefox, three per cent Safari, and 0.8 per cent for Opera. Of these, 52 per cent were running the latest version of Internet Explorer, 92 per cent for Firefox, 70 per cent for Apple, and 90 per cent for Opera.
The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.
Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.
For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."
But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
Imagine if the food industry was not accountable for selling spoiled milk.
Like this article? Click below to send it to your mobile for free!
brian
02/07/2008 11:26 AM
I think part of the problem here is that most new browsers don't work on slightly older operating systems. I'm on a mac at work and having to use OS 10.3 so I don't have the option to upgrade to the latest versions of firefox or safari as they don't support my operating system
Report offensive content
Dean
02/07/2008 01:49 PM
brian: that's kind of the same thing. An old operating system is just as vulnerable as an old browser. It's slightly worse in the Apple world, where Apple do not support their products as long as Microsoft do (for example, Windows XP, released in 2001 is still supported [in terms of security updates, etc], whereas OS X 10.3 was released in 2003 and apparently no longer supported).
Report offensive content