Shostack + Friends Blog Archive

 

Study: Firefox patched quickest, IE a laggard

A new technical report out of ETH Zurich, Understanding the Web browser threat, should appeal to EC readers.
The authors were granted access to the USER-AGENT information recorded globally by Google between January2007 and June 2008. By examining the first visit per day by each browser, the authors are able to determine which clients were running which browser, and when. This allows them to calculate how long older versions continue to be used after being superseded by an update.
The results are interesting:

[F]rom January 2007 to June 2008,
most users updated to a new version of Firefox within three
days of a new public release, resulting in up to 83% of usershaving the most current and secure Firefox version installed.
It took users of the Opera Web browser an average of 11 days
before reaching an update saturation at a level of up to 56%
of the users running the most current and secure Opera version.
While Firefox and Opera check for updates when the
browser is used, Safari relies on an external Apple-updater
that appears to only poll for new updates at scheduled regular
intervals while Internet Explorer gets updated as part of the
monthly distributed Windows patches.

Whether “patch and pray” maximizes uptime is debatable, but for the home user auto-update of browsers seems to be a win (I’m sure Dean Shostack of the New School has some informed thoughts on this).
The paper makes some usability suggestions which may stir discussion.
All in all, a good paper which relies on solid empirical data but goes beyond the numbers and makes suggestions which are informed by an interdisciplinary awareness. The only missing element is the Kandinsky.

5 comments on "Study: Firefox patched quickest, IE a laggard"

  • I question the statistical validity of using one data set to compare Opera / FireFox / Safari and another data set to compare IE. If you read the fine print – the Google logs were only used for Opera / FireFox / Safari because IE doesn’t report minor version information in the user-agent. So to compensate for that huge setback the authors used the Secunia software inspector statistics – which is a completely different and much smaller data set. It is also important to note that Mozilla stops releasing security updates for their previous major version of a product ~6 months after general availability of their current version whereas Microsoft still supports IE 5.x and 6.x with security updates making upgrading to the latest major version much less of a concern (from a security POV) for IE users. My blog here covers these points: http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-web-browser-study-full-of-fail.aspx

  • Chris says:

    A very fair point, Rob.
    The Secunia “correction factor” is inelegant at best. However, w.r.t. patch latency it is cool to see some hard data on how rapidly updates are applied under different patching regimes, and the inclusion of usability suggestions is also welcome thing.

  • Dan Weber says:

    auto-update of browsers seems to be a win

    Firefox doesn’t auto-update between major versions. I was running a 1.5 install until recently (because it’s nice to have old browsers for web development work).
    I’ve got another computer running Firefox 2 that hasn’t auto-updated to FF3, and probably never will until I do it manually.

  • Adam says:

    Having read the paper, I’m less impressed, although perhaps I’ll be accused of bias here, since my employer ships a web browser. Speaking for me, I’m unimpressed for two main reasons:
    1) they assume that all browser insecurity is not patching. A user who browses carefully and with no script (pithhelmet, noscript, ie7pro) may not need the latest browser. In contrast, one with the latest browser who downloads and runs things is toast. Any browser, any platform.
    2) They suggest a set of UI changes which are not tested or threat modeled. There are routinely attacks which show that users ignore browser chrome. If, as they suggest, web pages start telling you you’re out of date, then we train users to expect a lock update message in the body of pages.

  • Adam says:

    Excuse me. I meant to say “downloads and runs a trojan horse”

Comments are closed.