Worldwide Browser Patch Rates
Interesting research:
Abstract:
Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent header information stored in anonymized logs from Google’s web servers, we measured the patch dynamics of about 75% of the world’s Internet users for over a year. Our focus was on the Web browsers Firefox and Opera. We found that the patch level achieved is mainly determined by the ergonomics and default settings of built-in auto-update mechanisms. Firefox’ auto-update is very effective: most users installed a new version within three days. However, the maximum share of the latest, most secure version never exceeded 80% for Firefox users and 46% for Opera users at any day in 2007. This makes about 50 million Firefox users with outdated browsers an easy target for attacks. Our study is the result of the first global scale measurement of the patch dynamics of a popular browser.
JRR • February 13, 2009 7:45 AM
My own experience is that you will always have users who aren’t up-to-date, because there are users that have had very bad experiences with updates to systems that, to their eye, was working fine, then after the patch went to hell. This leads them to the conclusion that if the software is doing what they want it to, they should just leave it alone.
This experience carries across packages and companies. A bad experience with updating Company X’s product Y will lead them to not want to update Company A’s product B.