Which Browser Users Are More Secure?

Some new statistics just came out regarding Browser Security, this is more in terms of which users are most likely to apply patches and be using the most secure version.

I would have thought Firefox would have been pretty high since the newer series prompt automatically new patches. My only guess is a lot of people are still using 1.5x series which didn’t have that feature.

It turns out, that Internet Explorer is the ‘most secure’. Well that’s very subjective as IE doesn’t show sub versions like the other browsers do..and Windows Updates pushes out patches quite agressively. It also depends which set of data you look at as both conflict, one says Firefox users are more secure and one says IE

The researchers who published a large study of web browser security this week had a great idea and excellent data to work with. Too bad they overreached with their conclusions. A lot more is being made of this paper than is warranted.

The researchers, from ETH Zurich, Google, and IBM, looked at log data provided by Google from their global user base for web search and applications for the period between January 2007 and June 2008. This data was based on the browser user-agent string, which is also the reason the data is not as telling as the authors argue.

What did the study conclude? First, lots of users are not running the most up-to-date and secure versions of their web browsers. Second, that this is primarily a phenomenon of Internet Explorer users; Firefox users, on the other hand, overwhelmingly update their browsers quickly. These and other results lead the authors to suggest that browsers get expiration dates, much like milk and pharmaceuticals.

As expected though a LOT of users are not running the latest version of their browser, but that doesn’t surprise us really does it?

I think the versioning is an issue though, with IE you only get to know about the major version (IE5, IE6, IE7, IE8) and not which actual patches they have applied.

Why, one might ask, does Microsoft not provide minor version information? Microsoft’s David LeBlanc answers that question in his blog by saying that they consider such information to be an “information disclosure vulnerability.” In other words, by giving a web-based attacker precise version information, you are also giving them better information on how to attack that browser.

In these measurements IE7 users are much more likely to be up to date than other browser users. The authors are correct that Secunia users are more likely to be security-aware, but even when they try to adjust the numbers, multiplying the IE7 number by 2.1 “… to correct for the bias of Secunia’s measurement within a security aware user population” IE7 still ends up looking better.

There is actually a discrepency between the two sets of data, the metrics are odd though and are based on heavy assumptions (IE7 is secure but IE6 is not, while IE7 is a MORE secure browser architecture and feature wise, a fully patched IE6 can also be perfectly secure).

I’d be interested to see more of these stats and see the full Google access logs for a few month period.

That would be some interesting data mining.

Source: eWeek

Posted in: Countermeasures, Exploits/Vulnerabilities

, , , ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

13 Responses to Which Browser Users Are More Secure?

  1. test July 7, 2008 at 8:07 am #

    Would be nice if you could produce a graph or piechart

  2. Bogwitch July 7, 2008 at 9:47 am #

    Lies, damn lies and statistics.

    It is interesting to me that IE users are not updating their systems as often as would be prudent. Given the nagging that MS software and OSes perform to ensure patches are applied as soon as possible, and given that a large chunk of malware will attempt to disable Automatic Updates, we can assume that a large number of systems are infected with malware. Is anyone suprised? I doubt it. It is also true that the number of malwares that disable updates within Firefox will be far fewer in number (I can’t think of any off the top of my head) Is it any suprise that Firefox Browsers are more up to date?

  3. Ian Kemmish July 7, 2008 at 12:45 pm #

    Two things:

    1) Since the vulnerabilities in older browsers are not a superset of the vulnerabilities in newer browsers (or indeed OSs!), there’s something to be said for running an obsolete system. For the longest time, the only “mass market” machine I connected to the Internet ran NT 4. (Most of the time I used an old mips UNIX machine.)

    2) Perhaps most paranoid and sexure browser users, noting the number of stories about malware links on Google, choose to use a less popular search engine.

  4. zupakomputer July 7, 2008 at 3:40 pm #

    Is that dependent on what settings are chosen in the browser though, or is it about means that any malware would use to get around the likes of ‘no pop-ups’, ‘no cookies’ and so forth?

    I’m getting a U on it (the link, in the link here) for ‘strong security’ with Firebird here – that would seem to be refering to the security settings in the browser.

    Or say if you leave the box checked for settings like ‘save passwords’ on your browser, is it looking at how that kind of thing could get data-mined?

    “this week, ir ‘ave bin mostly using, Seamonkey. And Firebird.”

  5. Amy July 8, 2008 at 8:51 am #

    Some assumptions are off-base. The author *assumes* that Windows users feel IE7 to be more secure than IE6. These are the same folks who got steamed that IE7 was a *critical update.” These are the same folks who feel that Vista is far less secure than XP because of Vista’s *bloat.* What I feel ~ you understand ~ doesn’t matter, even though these folks are wrong on both counts. These folks detest the ActiveX component of IE ~ that’s their issue which they misconstrue with their negative views on Vista/IE7. And because these folks happen to be mods of security-related MSN Group(s) with active memberships of 40,0000+ people, their opinions rule. They advise their 40,000 members not to set Vista on auto-updates, but rather to set it on auto-downloads and then decide which progs to install. Ditto for IE7 ~ wait til it’s well-tested with some experience behind it, before installing, they counsel. Ditto for AVG 8.0 ~ it’s *bloatware* so use Avast or AVIRA, instead.

    These sort of advices to such a huge Group are clearly inappropriate, but the mod’s are on a power trip to nowhere. You ask why users are running out of date browsers et al, and here’s your reason. In themselves, they make a good case of course (with the exception of the XP/IE6 vs Vista/IE7 nonsense). But to use their 40K members ~ mostly noobs ~ as a testing ground for distributing very lame advice geared from experts presumably to experts is absurd and ill-willed.

    AVG 8.0 as bloatware? Well, of course. That’s not news. But for 40K noobs most of whom don’t even have an anti-virus or anti-spyware running, a bloated yet consistently award-winning A/V and (before it changed names from Ewido) A/S ~ just because it’s bloated ~ is malicious advice in my view. We’re talking about people who’ll go without any A/V and A/S due to such advice.

    Re a great, free software Firewall – to round out the picture – their advice is PC Tools’ software. With the likes of Comodo out there, I figure the joke software offered by PC Tools (sorry, but I feel that it is) speaks for itself. 40K noobs will naturally study the site after installing the firewall and discover Registry Mechanic ~ BSOD coming right up!

    Ditto for their advice anti-Vista/IE7 and pro-XP/IE6. At best, the most polite way I can put it is that this is the caliber of *experts* we’ve got advising our noob in huge numbers.

  6. Navin July 9, 2008 at 10:59 am #

    Man, Amy you certainly have a lot to say!! I don’t really get why you’re up in arms against these multi-million user forums!! Most of these forums U’re referring have a strict and rigorous procedure to selct mods…. with people from across the world vying for the title of moderator, its not easy to become a mod simply to boost a product!!

    Even if they push an opinion, its only when tht opinion is followed up by other recognised users, tht sum1 will follow it

    So what if AVG is bloatware?? Its frankly a form of viral marketing!!Its no holds barred “free” ain’t it?? and it does wht it promises to a large extent!! And lakhs of users will tell U tht!! frankly, with guys at reputed sites like download.com and the likes having acknowledged the fact tht even though its free, it seriously has a great engine, no wonder many people use it and appreciate it….. It may be bloatware but atleast its not like so mnay paid programs tht keep throwing up pop-ups every alternate minute just so tht they can let you know tht they have successfully updated themselves, or tht they’ve successfully started!! At the same time there are a lot of people who suggest the other options U’ve mentioned as well coz tht’s what has worked for them!!

    Coming back to the topic, I think the proper way to judge secirity would be to look at how many security loopholes have been found in a given browser over the last few months….tht’ll actually give a better idea as to which browser is safer!!

  7. zupakomputer July 9, 2008 at 9:25 pm #

    I see the point – but the problem is it’s really difficult to advise people do anything at all on their computer when you don’t know their real skill level. All you can do is give them walkthroughs at best, on what buttons to press and enable or disable.

    I do think though that Vista does have issues in the security dept.; I haven’t installed it myself (just don’t have one yet, or I would have seen how it is) but got around to giving XP a go on my own machine and it definitely does have stuff on it by default (to do with remote accessing, and automatic update this-and-that) that I’d never ever have running! Not just because it makes your machine (well, your OS installation and possibly any other hdd’s on the same computer) more vulnerable but also because it makes it more slooooowww.

    But to get back to the advice for noobs – again, it isn’t just the default OS that can slow the machine. Just about everything I’ve installed so far on XP likes to add it’s own little startup process……..which I then have to remove. Ok, they don’t all do that, but a sizeable amount do. Some of them add stuff to the taskbar also, meaning that it needs to be loaded on startup – more sloooowwwness if you don’t take it off.
    I’ve mentioned this before here, on this site, but automated stuff that cleans the registry and the like – those can sometimes make changes and clear out things that you don’t want to lose. And noobs are more likely to use them to deal with the likes of tidying up their msconfig startups and what processes have to be running all the time (ya know, the kinda places malware likes to install itself into); and then something they want to use no longer works anymore, and so on.
    But most of those kinda apps I see advertised as solve-all-problems downloads, as if you needn’t know what you are doing to run them, or more precisely you can use them easily but you may not what they actually remove or change.

    I think that what Windows tends to suffer from is like in the film Robocop 2, when OCP gives Robocop all those messed up directives. For example – I haven’t had my XP machine online, so I turned off all security. That prompts a ‘your firewall is disabled etc’ balloon to show up on every boot. That went on for a while – every boot, exact same time that pop-up, I’d even be doing the sound it makes at the same time it pops up. Then it starts coming on say half a minute later after startup; so I’m thinking – they must have that on some timer? So it is actually counting the amount of boots, or the days, and it is changing the priority of telling the user ‘your firewall is disabled etc’……..and that, is the kind of thing you should not program into an OS or the like. It’s too complicated; just have prompts that show up balloons, or don’t have them (ie – let them be turned off).
    So further to that, the last couple of boots I haven’t actually needed to use the OS itself, so went to shut it down after bootup – and it’s suddenly taking ages to close. Then I realised – the ‘your firewall is disabled etc’ is getting the instruction to pop-up at the same time I’m saying for the machine to shutdown – so it’s having to juggle those back and forth until it clears the pop-up so it can shut down……..
    it’s those kinds of things that do your head in. There’s nothing wrong with it in terms of it installs apps fine and they run properly.

    Although I would say: um, Sound Recorder? ‘there is not enough memory to complete the operation…..’ – but it was a 30 second recording with a giant page file and 4GB (well, 3.5 recognised) of RAM, what the hell ‘there is not enough memory’??? Get proper recording formats for that.

  8. Changlinn July 10, 2008 at 1:47 am #

    I call shennanigans. Firefox with NoScript is wayyyy more secure than IE.
    There was an article somewhere that said 1 in 3 computers is infected, I used to clean malware off of users computers, and everyone that had IE had some. You can bet the gateway for this malware getting in was IE. I have even seen an IE7 that was so weighed down with toolbars and smilies and whatnot that it was simpler to use FF or rebuild the os.
    On the bloatware, thing, everything bloats to an extent. Gnome uses more ram now-a-days than windows XP’s explorer. Even tiny linux disto’s like DSL are now taking up a full mini-cd. It is inevitable, there are more resources so we may as well use them. Bloat is not an issue as long as it is slower than hardware improvement.

  9. zupakomputer July 10, 2008 at 12:29 pm #

    But isn’t the point of calling it bloatware (whatever anyone is calling bloatware) meaning that it contains things over and above what is required? Such a claim can’t really be levied upon the likes of DSL because they do what they claim to, without adding too much if anything over and above the bare minimum for (in DSLs case) a linux GUI distro, with office apps and web browsing.
    I think ~60MB for a GUI is really good going, of course it can be shorn down more but then you don’t get the office apps or the net browser or the media player – so you’re talking about a very different target audience for such as OS.

    Just to say, I myself don’t know if AVG is overkill or not. I haven’t used it much, and that’s the first I heard it installs more than is needed or it eats resources. I’d say that any worthwhile malware scanner is going to eat way more resources than a worthwhile firewall setting, if it is a background scanner and not a startup / shutdown / on demand scanner.

  10. Navin July 10, 2008 at 2:58 pm #

    That’s exactly the point………..most full featured programs do eat up memory!! That’s where U have to make a choice….whats more important?? Having Ur antivirus running a scan all day long or some other memory heavy program (like a game)

    No wonder even 2GB of ram sometimes seems to little……Just 5 yrs ago, single processor mobo’s with 512 MB ram (or even less) seemed more than sufficient!!

    DSL is, in my opinion one of the most memory specific distro around…..even compared to other linux distro’s like backtrack or fedora, or even the older mandrake, DSL is the best at managing resources.

    Bloatware, i feel is a very general term….AVG is definitely a non-bloating bloatware!! Not tht I’m claiming tht its the best or tht its the worst, I’m just saying tht it is among the more user friendly, non-intrusive antivirus softwares out there!!

  11. Changlinn July 11, 2008 at 1:23 am #

    Bloatware can refer to both excess features that are un-needed, ie why do I need outlook express on a server (2003), why do I need two text editors on my workstation (xp, notepad and wordpad, or vim and nano). But it can also refer to simply over using resources for no foreseeable reason, I am looking at your Firefox; 220mb atm (addmitedly 32 tabs open).
    Programmers need to be more effecient, they are basically getting lazy as everyone now-a-days has a gig of ram… well even if they do imagine if one instance of your program only takes up a meg that means if it is good I can run hundreds of instances and not feel the hurt (Heart Dillo).
    DSL has gotten bigger, there is no debating that. So it is bloating, but that is fine. It is simply progress. I am also sure there are some features on there the average DSL user doesn’t use, the problem is weighing these up with how useful they are for the few who use them.
    I haven’t played with AVG for a while but like all av it can get bloaty; even signatures get bloaty, what with about a million viruses discovered a year, it is bound to happen. Even the light weight ClamAv’s sigs are getting up around 10mb.

    Wasn’t this ram push one of the reasons Apple went with Intel, as intel felt MacOSX pushed the CPU more and required less ram than CPU, as opposed to Windows and its “please replace your cpu with more ram”?

    Ahh progress, I am sure in ten years time I will look at this post and be amazed I could get by on only 2gb of ram, with single sticks by then probably starting at 10gb.

  12. lyz August 12, 2008 at 4:42 pm #

    IE7 loads slow for me. I’m still using IE6. I have also tested Firefox 3. But I had to uninstall it because the whole thing crashes. I’m currently planning to test the Firecat solution, which I learned again from one security seminar I’ve attended, but Firefox keeps complaining about incompatibilty. Maybe, Backtrack is enough.

  13. Morgan Storey August 16, 2008 at 9:56 am #

    @lyz: Firecat is more a group of plugins for firefox for some pen testing in your browser, bit different in purpose to Firefox or Backtrack. I don’t do enough pen testing to have it installed full time so I can’t comment, but it does slow down firefox a lot.
    Have you tried the newest installed of FF3, it is rock solid, I don’t think Firecats plugins are all FF3 compatible yet, I last used them back in FF1.5.