Some new statistics just came out regarding Browser Security, this is more in terms of which users are most likely to apply patches and be using the most secure version.
I would have thought Firefox would have been pretty high since the newer series prompt automatically new patches. My only guess is a lot of people are still using 1.5x series which didn’t have that feature.
It turns out, that Internet Explorer is the ‘most secure’. Well that’s very subjective as IE doesn’t show sub versions like the other browsers do..and Windows Updates pushes out patches quite agressively. It also depends which set of data you look at as both conflict, one says Firefox users are more secure and one says IE
The researchers who published a large study of web browser security this week had a great idea and excellent data to work with. Too bad they overreached with their conclusions. A lot more is being made of this paper than is warranted.
The researchers, from ETH Zurich, Google, and IBM, looked at log data provided by Google from their global user base for web search and applications for the period between January 2007 and June 2008. This data was based on the browser user-agent string, which is also the reason the data is not as telling as the authors argue.
What did the study conclude? First, lots of users are not running the most up-to-date and secure versions of their web browsers. Second, that this is primarily a phenomenon of Internet Explorer users; Firefox users, on the other hand, overwhelmingly update their browsers quickly. These and other results lead the authors to suggest that browsers get expiration dates, much like milk and pharmaceuticals.
As expected though a LOT of users are not running the latest version of their browser, but that doesn’t surprise us really does it?
I think the versioning is an issue though, with IE you only get to know about the major version (IE5, IE6, IE7, IE8) and not which actual patches they have applied.
Why, one might ask, does Microsoft not provide minor version information? Microsoft’s David LeBlanc answers that question in his blog by saying that they consider such information to be an “information disclosure vulnerability.” In other words, by giving a web-based attacker precise version information, you are also giving them better information on how to attack that browser.
In these measurements IE7 users are much more likely to be up to date than other browser users. The authors are correct that Secunia users are more likely to be security-aware, but even when they try to adjust the numbers, multiplying the IE7 number by 2.1 “… to correct for the bias of Secunia’s measurement within a security aware user population” IE7 still ends up looking better.
There is actually a discrepency between the two sets of data, the metrics are odd though and are based on heavy assumptions (IE7 is secure but IE6 is not, while IE7 is a MORE secure browser architecture and feature wise, a fully patched IE6 can also be perfectly secure).
I’d be interested to see more of these stats and see the full Google access logs for a few month period.
That would be some interesting data mining.
Recent in Countermeasures:
- Smooth-Sec – IDS/IPS (Intrusion Detection/Prevention System) In A Box
- HoneyDrive Desktop v0.2 Released – Honeypot LiveCD
- Noted Chinese Hacker Wicked Rose Heading Antivirus Company Anvisoft
- Browzar is Bullshit
- Month of Browser Bugs (MoBB)
- Browser Fuzzer 3 (bf3) – Comprehensive Web Browser Fuzzing Tool
Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 118,505 views
- Password Hasher Firefox Extension - 116,490 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,494 views