Forget Govt. Warnings, Microsoft advice or the risk to be infected by malware, most users only like to patch their browsers if they have to do nothing about it. Two Swiss researchers and a Google expert made a survey of the anonymized logs of Google’s to see how quick users are to patch their browsers. This survey dealt with the data of 75% of the Internet population. The research mainly dealt with Mozilla Firefox and Opera.
The researchers found that installing patches were dependant on standard settings and through an automatic update function. Firefox updates are most effective, because within three days users may have a new version of that browser. But the full procentage never gets any higher than 80%, meaning 50 million Fx users use a vulnerable browser. For Opera that is the majority, 53% uses a vulnerable browser. After launching Opera 9.20 that number reached 65% for a short period.
Drive-by downloads
While browsers are the major applications used on the web, they are the main infection vector and targeted by Cybercriminals. The number of drive-by-download infections is rising and rising. There were 3 million websites to infect during 2007.
To do the survey one used the Google webserver logs, and looked at the HTTP user-agent string to see what browsers users used. For IE that is harder, IE shows the version but does not give away the patch-level. Now it is propagated for IE to use a similar update feature as Firefox does, because the situation there may be far worse even.
So almost half of the users uses a vulnerable browser and is insecure…
The daily situation is that 45% of browser users are vulnerable to all sort of infections. There should be introduced a more user friendly update mechanism. Because the majority of users do not react to vendor warnings or when new leaks and holes are being found up, either they cannot be bothered or they simply do not understand why updating and patching has become vital,
IE wasn’t emphasized in this article because the user-agent data it provides to Google doesn’t include the minor-version information. Firefox and Opera do provide this info.
The researchers found that installing patches were dependant on standard settings and through an automatic update function. Firefox updates are most effective, because within three days users may have a new version of that browser. But the full procentage never gets any higher than 80%, meaning 50 million Fx users use a vulnerable browser. For Opera that is the majority, 53% uses a vulnerable browser. After launching Opera 9.20 that number reached 65% for a short period.
Depressing. Even with Firefox’s automatic update function, up to 20% of Firefox users were still using an old, unpatched version 30 days after a security release. It hardly got any better after that. Do 20% of Firefox users disable automatic updates? Perhaps the numbers are skewed somewhat by the Firefox Linux users. Many of them get updates only through updates to their whole Linux distribution package. That’s not particularly dangerous, since Linux isn’t nearly as vulnerable to attacks as Windows.
To do the survey one used the Google webserver logs, and looked at the HTTP user-agent string to see what browsers users used. For IE that is harder, IE shows the version but does not give away the patch-level. Now it is propagated for IE to use a similar update feature as Firefox does, because the situation there may be far worse even.
I suppose most IE users have Automatic Updates enabled. That includes updates to IE7. (I don’t know about IE6, but I assume its security patches are pushed through Automatic Updates too.) MS is doing something very right here, just like Mozilla is doing with Firefox.
So almost half of the users uses a vulnerable browser and is insecure....
The daily situation is that 45% of browser users are vulnerable to all sort of infections.
I think this number, which comes from last July’s article, is overly pessimistic. Since the majority of Internet users use IE, and about half of them use IE6 instead of IE7, the article’s assumption that all versions of IE6 are vulnerable is misleading. I don’t think the assumption is warranted. Most of IE6’s vulnerabilities are patched in a timely manner, just like IE7’s are. According to Secunia, IE6 has only 22 unpatched vulnerabilities, the most severe of these is rated “Moderately critical”. The most recent IE6 patched vulnerability was patched 2008-12-10. Compare this to IE7, with 9 unpatched vulnerabilities, the most severe of which is rated “Moderately critical”. The most recent IE7 patched vulnerability was patched 2009-02-10. Note that the most recent unpatched vulnerability is the same for both IE6 and IE7, a “Less critical” “Print Table of Links” Cross-Zone Scripting vulnerability from 2008-05-14. References: http://secunia.com/advisories/product/11/?task=advisories http://secunia.com/advisories/product/12366/?task=advisories
There should be introduced a more user friendly update mechanism. Because the majority of users do not react to vendor warnings or when new leaks and holes are being found up, either they cannot be bothered or they simply do not understand why updating and patching has become vital,
The good news is that the two browsers with the largest market share currently use Automatic Updates. I hope most users don’t disable them. The bad news is that many users have pirated copies of Windows and don’t update IE. (Although manual updates isn’t allowed, Automatic Updates is supposed to still be functional in pirated copies. I haven’t tested this. :)) A big security hole is the plugins used by the browsers, such as Flash, Adobe Reader, Quicktime, etc. None of these has an automatic update mechanism which requires as little user interaction as that provided by IE and Firefox. The Secunia Personal Software Inspector program for Windows helps somewhat by scanning the PC at least once a week for unpatched vulnerable plugins and programs, but it still requires user action to install security updates.
[b]Please do NOT advise your users to turn off automatic updates because of *one* problem update [/b]
The latest “Rollup for ActiveX Killbits for Windows” (KB960715) is causing problems for some third party applications that are dependent on the disabled controls.
One application that has problems, “Office Tools Professional”, is advising its users to not only uninstall the Killbit patch (thereby restoring the broken functionality), but also to “turn off automatic updates”. Please do not turn off automatic updates. Simply uninstall the problem patch.
What YoKenny has posted is, I feel, a big chunk of the problem with respect to this issue and perhaps this is, at least, part of the case in the eyes of the general public as well, along with ignorance and apathy. I found a lot of this at Ubuntu’s forum as well…updates that broke either the OS itself or specific programs and/or drivers. In a similar way, it’s also why I am one of the potentially 20% that doesn’t have Firefox updated because of the possibility that an upgrade will break or make incompatible the add-ons that I want to have, as what happened when I upgraded from Firefox 2 to 3. I am in no way blaming anyone nor do I really have an answer to solving this as I realize the urgency in getting the security updates “out the door” do not allow for adequate time in testing for incompatibilities.
However, I keep Windows updates on and my OS and IE7 are completely up to date, including the “Rollup for ActiveX Killbits for Windows” (KB960715.)”
