, SecurityFocus 2008-07-02
Story continued from Page 1
The study also found that some browsers instilled far better security habits than others. Microsoft's Internet Explorer -- which had the greatest market share, about 78 percent, according to data from TheCounter.com -- had the most out-of-date software among its users, with only 48 percent using the latest version of Internet Explorer 7. Mozilla's Firefox, which claims about a 16-percent market share, had a much more up-to-date user base, with more than 83 percent of all Firefox users surfing with the latest version.
Microsoft's varied user base sometimes has reasons for not upgrading immediately, a spokesperson for the company told SecurityFocus.
"With hundreds of millions of IE users, Microsoft recognizes that some may have reasons for not being able to immediately upgrade," the spokesperson said. "To assist this population, Microsoft does not end-of-life browser support for legacy versions shortly after a new IE release."
The authors of the browser study, however, argued that Firefox's simple update mechanism resulted in the users of the browser updating much more quickly than the users of rival browsers. Within three days of releasing a patch, for example, more than 80 percent of Firefox users upgrade the software.
"We did a lot of work to make the program's update mechanism as simple as possible," Window Snyder, Mozilla's chief security officer, told SecurityFocus.
Opera users patched the software much more slowly, with only 56 percent of users patched within the first 11 days. While Firefox can be upgraded with a single click, Opera refers users to the company's site where they can download the update and install it.
"It is not complicated to do for you and for me, it is just five clicks," ETH Zurich's Frei said. "But those five clicks are a giant barrier for most users."
In addition, Mozilla's Snyder pointed to the software's ability to save the user's current pages, so that, upon a restart, the program starts up where the user left off.
A spokesperson for Opera pointed out that the software does have automated update notifications, but said the company is exploring ways of improving the update process.
"We know many people choose Opera because of our long security track record," the spokesperson said. "We intend to continue evolving methods of keeping them as secure as possible when they use any Opera product."
However, the authors of the study suggested that all the browsers adopt some notification scheme to tell users that their browser is no longer current. Such an expiration date, similar to the "Best by" date on food, would notify users that their browser may not be current, said Frei.
"If I give you two screenshots of Firefox -- one from today and another from three months ago, you cannot spot the difference," he said. "If there is a clear message somewhere on the browser, then I might think twice before logging onto my bank."
The authors also contended that all browsers have another issue: Making sure that all users are running the latest versions of any plug-in features for their software. While Firefox has adopted authenticated channels for updating the plug-ins, Frei stressed that finding a way to authenticate the sources of plug-ins and checking for the latest patches is a must.
"Even under the best update circumstances, it still takes three days to get to an 80-percent patch level," Frei said. "Now imagine that across all the plug-ins ... and you have a problem."
If you have tips or insights on this topic, please contact SecurityFocus.