Study: Unpatched Web browsers prevalent on the Internet

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk of attacks from hackers

Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland.

The study, published Tuesday, is one of the most comprehensive analyses of what versions of Web browsers people are using on the Internet. The study was conducted by researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services.

Web browsers are often a weak link in the security chain, as software vulnerabilities can make it easy for hackers to gain control of a PC. When that happens, hackers can perform malicious acts such as stealing personal data or turning PCs into spam-spewing drones.

What the researchers found is that although software vendors provide patches for security problems, it can take days, weeks or months before people update their applications. In the meantime, those users are at risk.

But it's not entirely the fault of users, since Web browser vendors haven't exactly made patching easy, said Stefan Frei, a doctoral student at the institute, which is known as ETH Zurich, and one of the report's authors. The Web browser is still fairly young technology, and the industry has yet to settle on a dominant, well-tested design, he said.

The study looked at search and Web application server log data provided by Google to see what versions of the Firefox, Opera or Safari browsers people were using, Frei said.

Microsoft's Internet Explorer, however, only tells Web servers what major version a person is using, such as IE 6 or IE 7. The researchers relied on data from people who have installed a tool on their PC called the Personal Software Inspector, from Danish security company Secunia that can detect incremental versions of IE, Frei said.

Firefox users were the best at upgrading: 83.3 percent are using the latest version (the study just looked at Firefox 2.0). For Apple's Safari, 65.3 percent use the latest version; 56.1 percent for Opera and 47.6 percent for Microsoft's Internet Explorer.

Mozilla's Firefox came out on top due to its auto-update feature, which tells a user a new patch is available and offers a one-click way to upgrade. Within three days, most Firefox users are up to date, the study said.

Frei recommends that all browser makers put in an auto-update feature since the process now is cumbersome and slow.

Now, Opera users are told there is a new version, but they have to go to Opera's Web site and go through the same installation process as if they had initially downloaded the browser for the first time, Frei said.

Page Break

Safari uses an external updater that only polls for updates at certain intervals. Microsoft's updates are distributed on the second Tuesday of the month. Those gaps in time between when a vulnerability is publicly disclosed and a person patches is crucial, as they're an open window for an attack.

The problem with lax patching falls squarely on the shoulders of the application vendors -- users often simply can't visually tell if their browser needs to be upgraded, Frei said.

He advocates software vendors take a cue from the food industry and put an "expiration date" right on top of the browser to let people know the browser's state. For example, a warning could appear beside the address bar: "145 days expired, three patches missing"

"It's a non-technical suggestion," Frei said. "How can you expect people that they run the update if they don't even know? We think it's the same as having a speed limit on a highway."

Even search engine companies such as Google could display the same warning above search results, as the browser version is transmitted to its servers when someone performs a query, Frei said.

Alternatively, security companies could make application version scanning part of their consumer products, which they have done for some enterprise-level software, Frei said.

But the problem of out-of-date browsers pales in comparison to the quagmire of plug-ins, which add extra functionality to the browser, such as Adobe's Flash and Apple's QuickTime multimedia program.

On average, people have between six to 10 plug-ins, many of which come from different vendors with different patching regimes and schedules, Frei said.

"The browser is the bread, and even if the bread is fine, if the ham is rotten, you have a problem," Frei said.

Just one software vulnerability in a plug-in can put a person's PC in danger. Frei is proposing that an organization such as a national Computer Emergency Response Team create a service where browsers can verify if it has the latest version of a plug-in.

Besides Frei, the study was also conducted by Thomas D'bendorfer of Google, Gunter Ollmann of IBM Internet Security Systems and Martin May from ETH. The study will be presented at the Defcon security conference next month in Las Vegas.