Study: Unpatched Web browsers prevalent on the Internet

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk of attacks from hackers

Safari uses an external updater that only polls for updates at certain intervals. Microsoft's updates are distributed on the second Tuesday of the month. Those gaps in time between when a vulnerability is publicly disclosed and a person patches is crucial, as they're an open window for an attack.

The problem with lax patching falls squarely on the shoulders of the application vendors -- users often simply can't visually tell if their browser needs to be upgraded, Frei said.

He advocates software vendors take a cue from the food industry and put an "expiration date" right on top of the browser to let people know the browser's state. For example, a warning could appear beside the address bar: "145 days expired, three patches missing"

"It's a non-technical suggestion," Frei said. "How can you expect people that they run the update if they don't even know? We think it's the same as having a speed limit on a highway."

Even search engine companies such as Google could display the same warning above search results, as the browser version is transmitted to its servers when someone performs a query, Frei said.

Alternatively, security companies could make application version scanning part of their consumer products, which they have done for some enterprise-level software, Frei said.

But the problem of out-of-date browsers pales in comparison to the quagmire of plug-ins, which add extra functionality to the browser, such as Adobe's Flash and Apple's QuickTime multimedia program.

On average, people have between six to 10 plug-ins, many of which come from different vendors with different patching regimes and schedules, Frei said.

"The browser is the bread, and even if the bread is fine, if the ham is rotten, you have a problem," Frei said.

Just one software vulnerability in a plug-in can put a person's PC in danger. Frei is proposing that an organization such as a national Computer Emergency Response Team create a service where browsers can verify if it has the latest version of a plug-in.

Besides Frei, the study was also conducted by Thomas D'bendorfer of Google, Gunter Ollmann of IBM Internet Security Systems and Martin May from ETH. The study will be presented at the Defcon security conference next month in Las Vegas.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?