Worldwide Browser Patch Rates

Interesting research:

Abstract:

Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent header information stored in anonymized logs from Google’s web servers, we measured the patch dynamics of about 75% of the world’s Internet users for over a year. Our focus was on the Web browsers Firefox and Opera. We found that the patch level achieved is mainly determined by the ergonomics and default settings of built-in auto-update mechanisms. Firefox’ auto-update is very effective: most users installed a new version within three days. However, the maximum share of the latest, most secure version never exceeded 80% for Firefox users and 46% for Opera users at any day in 2007. This makes about 50 million Firefox users with outdated browsers an easy target for attacks. Our study is the result of the first global scale measurement of the patch dynamics of a popular browser.

Tags: , , , , ,

Posted on February 13, 2009 at 6:27 AM21 Comments

Comments

JRR February 13, 2009 7:45 AM

My own experience is that you will always have users who aren’t up-to-date, because there are users that have had very bad experiences with updates to systems that, to their eye, was working fine, then after the patch went to hell. This leads them to the conclusion that if the software is doing what they want it to, they should just leave it alone.

This experience carries across packages and companies. A bad experience with updating Company X’s product Y will lead them to not want to update Company A’s product B.

Clive Robinson February 13, 2009 8:35 AM

I certainly don’t patch my personal web browsers…

The reason being the one I’m currently using is on a mobile phone and the way it works is that the browser runs on the telco’s server and I get a screen image on the phone. So I’can’t patch that one.

The other browser I use is on a machine with lots of RAM but no HD (it’s a Knoppix clone on DVD) or other writable media (except when I specificaly down load a PDF or other file from sites a vaguly trust).

And when I do download I imediatly virus/malware check the files on a stand alone machine.

Life is to short to be continuously patching software on a machine that is going to be attacked within 30 secs of you turning it on…

Also applying patches is a recipe for trouble on development or production machines. Which means you have to test test test before applying. Meanwhile as noted by Ghost your machine has been “owned” before you’ve even started testing…

Sometimes you have to get off the “Hamster wheel of patch pain” and find better ways of doing things.

And yes there are ways if you look…

Matt February 13, 2009 8:50 AM

I think DEP and IE64 have potential. I’ve seen that many of the recently patched vulnerabilities were mitigated by DEP / ALSR.

I look forward to the release of a 64 bit flash plugin. 64 bit versions of your favorite browser won’t be too far behind.

Cannonball Jones February 13, 2009 9:02 AM

I always keep my browsers at home bang up to date but at work it’s a different story. Our machines are clogged up with so much crap that we’re not allowed to install and our connection is dodgy at the best of times so constant updates just aren’t worth the hassle. Had words with the boss about this to see if we can work around it, no-one seems to care about browser vulnerability though. Worst thing is we’re forced to use IE for a lot of tasks due to a crap client management system so the possibility of an attack is far greater.

Jesse McNelis February 13, 2009 9:11 AM

“Firefox’ auto-update is very effective: most users installed a new version within three days.

My understanding is that Firefox’s auto-update feature only works if you’re running it as administrator, otherwise it doesn’t have the permissions required to actually do the update.
Seems like a bad idea to me. It’s something that should be the responsibility of the software package manager.
I ‘ve never been able to figure out how a Windows user can have a fully patched system and still have time to have a life.

Nick S. February 13, 2009 9:29 AM

“My understanding is that Firefox’s auto-update feature only works if you’re running it as administrator, otherwise it doesn’t have the permissions required to actually do the update.”

You’re installing software that sets the default browser and file associations and such, so you need Administrator access for that. The problem with Firefox’s auto-update mechanism is if it doesn’t even tell you there are updates unless you’re an admin- I think it does tell you now though. For all of its flaws, Vista asking you to click “Continue” on installing an update for already-installed software is a good way to do it.

NM February 13, 2009 11:34 AM

I have to work with retarded companies where the IT dep’t still only allows IE 6. It’s the single most used piece of software, and they can’t get bothered to keep it up to date … what can you expect? But they always have good excuses, most often involving “security.” Right.

Tangerine Blue February 13, 2009 12:17 PM

All versions of IE combined have around a 2/3 market share.

Thanks for the correction.

In any case, I doubt that many people have the illusion
that any version of IE is secure.

That’s not the point. From the abstract:
“we measured the patch dynamics of about 75% of the world’s Internet users for over a year. Our focus was on the Web browsers Firefox and Opera.”

I don’t get it. They looked at the world’s internet users, but instead of a representative cross section, they focused on a niche.

Seems kind of like extrapolating worldwide car maintenance practices from studying Lexus and Jaguar owners.

innocent_bystander February 13, 2009 1:41 PM

Tangerine Blue –

From the article:
“We focused on Firefox as this is the most popular browser with detailed version information available in the HTTP user-agent string. Internet Explorer only reveals the major version of the browser, which does not reflect the patch level.”

I think they would have included IE if it had been possible.

PackageBlue February 13, 2009 2:38 PM

Lynx browser is very stable, although can be VERY annoying sometimes! Lynx sure is a little used browser.

Lynx does have a few issues. Nice to be able to pay people to fix up small code for those who need it. Firefox is a lot of code!

Lynx and OpenBSD perhaps a good minimum for reasonable web browsing. Interested in other opinions though. Haven’t tried links browser under OpenBSD.

Recently got hacked through Lynx. Ha, fun, turned out ok though, took some work to clean things out. Welcome to the new world disorder. Governments now are hacking people, FBI is legally allowed to hack, and Germany has a division for this as well.

Nobody but serious developers and highly funded groups have internet web security.

Tangerine Blue February 13, 2009 2:54 PM

I think they would have included IE if it had been possible.

Thanks for pointing that out – I missed it.

You only claim to be an “innocent_bystander,” but I think you Da Bomb.

DaveC February 13, 2009 5:47 PM

@Tangerine Blue: Seems kind of like extrapolating worldwide car maintenance practices from studying Lexus and Jaguar owners.

Ironically, Lexus is a Toyota brand, and Toyota has among the best production quality** of any maker, while Jaguar has been until recently one of the very worst, so that would span the auto industry as a whole 🙂

I think the reason is more prosaic – I guess they are using data from the browser User-Agent header, and while Mozilla, Firefox and other Gecko-based browsers give the browser engine build info in there (which allows you to infer timeliness of patches), while IE does not.

You can get exact version info from IE by pushing some JavaScript / ActiveX at it, but that’s a bit invasive – I’m guessing they were working off of passively collected data from web logs.

** by “production quality” I’m referring to an ISO-9000-esque definition of quality, i.e. the accuracy with which instances of the product match the design specs. Personally, I drive used German cars as I find them more elegant in design and more sporty, and I’m prepared to put up with minor niggles like replacing sun visor clips.

Edward S. Marshall February 13, 2009 9:47 PM

@NM: Those “retarded companies” might be in the same boat as my current employer: IE 6 is the only browser supported by a major business-critical application, used by a large number of end-users.

An IT group is stuck in an untenable position in a case like this: they either introduce an unsupported configuration to the workplace, making obtaining support impossible under the very large support contract that was taken out for the business-critical software product that enables real work to get done, or they upgrade to the latest version of another product as recommended by THAT vendor.

Anyone who has dealt with Oracle EBS, PeopleSoft, SAP, or another major financial application has run into the “supported configuration” nightmare. Is IE7 or Firefox 3 supported? Sure, on the most recent release, put out a week or so ago to “early adopter” customers. Oh, and don’t worry, that six-month upgrade cycle through development, QA, and production environments for your core financial applications won’t happen this time; it’ll only take five months, tops.

You sound like someone who hasn’t found themselves in this situation before. A shame, it’s enlightening, and frustrating. But there’s nothing “retarded” about people trying to reconcile a situation like that, and it’s insulting to suggest that you have all the answers when you don’t have a clue what it looks like on the other side of the problem.

neill February 14, 2009 9:16 PM

IF the browsers would really comply with the standards (see ‘acid test’) there would be no question ‘which one works’ for which website – the choice would be which GUI you like more (colors/layout/features/addins)

most companies i worked with choose IE not because it’s the best but a SAFE/CONVENIENT choice for ‘getting the work done’

Jim February 16, 2009 10:39 AM

From the article:
“We focused on Firefox as this is the most popular browser with detailed version information available in the HTTP user-agent string.”

Am I the only one concerned that the browser user-agent string on these particular browsers is broadcasting the detailed version and therefore the specific threats that the browser is susceptible to? I understand it is a simple matter to hit the browser with multiple threats to find the one that succeeds. But this is like walking around with your fly open?

Valdis Kletnieks February 16, 2009 4:30 PM

@jim: “Am I the only one concerned that the browser user-agent string on these particular browsers is broadcasting the detailed version and therefore the specific threats that the browser is susceptible to?”

It turns out that in general, It Just Doesn’t Matter.

Yes, it can be an issue if somebody is targeting you specifically, and wants a really good idea of which exploit to try to maximize the chances of nailing the target on the first try with minimum chance of detection.

But if you’re in the business of building malware to infect every single box that comes along, your best strategy is to just launch the exploit and see what sticks. That way, every single vulnerable box will get hit, even if they’re running software that makes the browser lie about it’s User-Agent: string (the ‘prefbar’ addon for Firefox does this, along with about 3 zillion other addons).

Valdis Kletnieks February 16, 2009 4:31 PM

I forgot to add – if the bad guys actually checked what software they’re launching exploits against, I wouldn’t keep finding Windows attacks in the logs of my Linux, Solaris, and AIX boxes… 😉

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.