Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Digg this story   Add to del.icio.us  
Study: Firefox patched quickest, IE a laggard
cwalsh, Emergent Chaos 2008-07-01

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers.

The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were running which browser, and when. This allows them to calculate how long older versions continue to be used after being superseded by an update.

The results are interesting:


[F]rom January 2007 to June 2008,
most users updated to a new version of Firefox within three
days of a new public release, resulting in up to 83% of usershaving the most current and secure Firefox version installed.
It took users of the Opera Web browser an average of 11 days
before reaching an update saturation at a level of up to 56%
of the users running the most current and secure Opera version.
While Firefox and Opera check for updates when the
browser is used, Safari relies on an external Apple-updater
that appears to only poll for new updates at scheduled regular
intervals while Internet Explorer gets updated as part of the
monthly distributed Windows patches.

Whether "patch and pray" maximizes uptime is debatable, but for the home user auto-update of browsers seems to be a win (I'm sure Dean Shostack of the New School has some informed thoughts on this).

The paper makes some usability suggestions which may stir discussion.

All in all, a good paper which relies on solid empirical data but goes beyond the numbers and makes suggestions which are informed by an interdisciplinary awareness. The only missing element is the Kandinsky.




The information, views, and opinions contained on this page are those of the author and do not necessarily reflect the views and opinions of SecurityFocus.






 

Privacy Statement
Copyright 2009, SecurityFocus