, SecurityFocus 2008-07-02
More than 45 percent of Internet users put their computers at risk of being compromised by malicious code because they surf the Web using browsers that are behind the times, four researchers warned on Tuesday.
Using data collected by Google from January 2007 to June 2008, the researchers compared the major and minor version numbers of the browsers used by visitors with the most up-to-date version of their software at that time. Their findings: More than 45 percent of Internet users, or about 637 million people in June 2008, use a browser that has security holes that could be plugged by the latest patch.
The research shows that Internet users need to start looking at software programs as if they come with an expiration date, said Stefan Frei, the lead author on the study and a PhD student at the Swiss Federal Institute of Technology at Zurich (ETH Zurich).
"We need security awareness," Frei said. "The threat environment is more like the food industry -- no one would bite into a three-month-old sandwich."
Over the past two years, online criminals have increasingly focused on compromising legitimate Web servers to seed the hosts with malicious code in an attempt to compromise visitors' computers. By leaving behind malicious
The study is the first to estimate the actual number of users surfing the Web with vulnerable browsers from global data. The researchers -- Frei and Martin May from ETH Zurich, Thomas Duebendorfer from Google Switzerland, and Gunter Ollmann from IBM Internet Security Systems -- estimate that the data provided by Google covers 75 percent of all Internet users. The authors stressed that the data did not include any personally-identifiable information.
The researchers compared the version numbers sent by visitors' browsers, known as the user agent field, with the most current patch information at the time. Since Microsoft's Internet Explorer only broadcasts the major version number -- calling itself IE6 or IE7, for example -- the authors of the paper set a lower bound on the number of insecure browsers by counting the number of visitors using an older major version of their favored browser. From that data, they found that 41 percent of Internet users, or about 576 million people, were not using the latest major version of their browser, defined as Microsoft's Internet Explorer 7, Mozilla's Firefox 2, Apple's Safari 3, or Opera 9.
Using data collected from Google -- and estimates from security firm Secunia of the fraction of systems running the latest version of Internet Explorer -- the researchers found that another 4 percent of people using the most recent major version of a browser had still not applied the latest patches.