Researchers: 637 million browser users at risk

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.

The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.

The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.

Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.

The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.

For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."

But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.

Imagine if the food industry was not accountable for selling spoiled milk.

[Lerianis]

The main reason that people don't like to update to the latest version of Internet Explorer is because it has a bad history of 'breaking' some sites with each browser update. With updates to Firefox, Opera, etc. it is EXTREMELY rare for them to break a site once the actual, final release of a new update like Firefox 3 comes out.

[The_Decider]

How is this news? Windows users are technically not savvy. Windows is insecure by default, it takes a little knowledge and a lot of time to make it somewhat secure. Microsloth's idea of security is to annoy the users to the point that they ignore the security messages. It is a recipe for disaster that get realized time and time again.

[The_Decider]

IE is the browser of choice of hackers because it is the lowest hanging fruit(i.e. the easiest). Maybe if IE usage slipped under 1% it might not be the leader in successful exploits.

[someguy999]

this conclusion is one aimed at providing nothing but fud for a number of reasons. first off you can't compare something apples to apples between IE and firefox.

with the long history of IE and firefox only recently releasing v3 (which I have image it assumes the 90% mark is based on v2) basically you're asking how many people are on V2... so in all reality here's the real question to show the validity of this statement: how many people were using v1 of firefox and truly made the upgrade (but even that's flawed because the only people who probably knew about v1 were very technically savvy open-source minded individuals) .. its sort of like saying I upgraded my car's gps to the latest and greatest, when my previous car didn't have a GPS (much along the same lines of my first firefox browser being v2... so I automatically get counted of "staying current", I didn't stay current, I just never used firefox before).

Second its not a matter of "Windows users are technically not savvy", that's just crap and makes someone feel good. I know an awful lot of xp users who are technically savvy however they've held off on upgrading becuase they just liked it better.

The results are just straight up flawed becuase you're not comparing apples to apples. Run the same survey in another 5 years and tell me how many firefox people are on the latest and greatest, I dare to say it will be the same results (nearly everyone who buys a computer from an OEM who isn't in the industry with firefox pre-installed will still have the same version on their machine as when they got it from the OEM) ... its human nature.

[t8]

This just proves that people who use Microsoft products are usually not very IT savvy. When I see an IE user or a business running MS Office, I see consumers who know no better.

[Squashman2]

For our company it has a lot to do with Compatibility. We can't use IE7 yet because it does break one of our web apps.

[humanssssss]

The companies that are interested in these Internet Explorer users are the one who will need to do something to improve security. Whether have the users switch to Firefox -- a more secure browser -- or create addon to improve Internet Explorer or have users install a free firewall provide by the companies. Whatever it is the solution, it is necessary to ensure the safety and security of users to improve commerce. Users won't engage in commerce when these fundamental foundations aren't in place.

[technewsjunkie]

That AntiTrust "Remedy" sure did a lot for browser market share, huh.

[wrog2]

> But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
> Imagine if the food industry was not accountable for selling spoiled milk.

Imagine an out-of-date browser actually putting somebody in the hospital.

More bogus analogies, please.

[thelemurking]

This is why Firefox runs on all my Win2k boxes at work...

[pchow98]

Don't forget that most companies don't allow individual employees to perform patch management and most companies don't allow IE6 to IE7 update because "it will confuse the users because of the interface looks different". Most Windows users also ignore the windows update notices and curse if Windows have to reboot. If the company installs Firefox on their users' computers, the Help Desk department will revoke because of the large amount of calls stemmed from "what should I do now that there's an update dialog box on the screen?" to "how come none of my usual add-ons don't work?", etc. This is a no-win situation because we don't require to users to be responsible for this type of activities and there's a dis-incentive for the users to be involved because it is deemed to be a "non-productive" activity.

[pchow98]

Don't forget that most companies don't allow individual employees to perform patch management and most companies don't allow IE6 to IE7 update because "it will confuse the users because of the interface looks different". Most Windows users also ignore the windows update notices and curse if Windows have to reboot. If the company installs Firefox on their users' computers, the Help Desk department will revoke because of the large amount of calls stemmed from "what should I do now that there's an update dialog box on the screen?" to "how come none of my usual add-ons don't work?", etc. This is a no-win situation because we don't require to users to be responsible for this type of activities and there's a dis-incentive for the users to be involved because it is deemed to be a "non-productive" activity.

[aaronjohnseldon]

Shame on you, CNet!!! This article is disappointing on many levels. What a coincidence that the study was sponsored by Google?!?

Among other things, the article leaves out mention to the disparity between corporate/personal users. Most personal computers I know of (unless they are pirated) are already running I.E. 7, with Microsoft auto-update enabled. All of the thousands of computers at my work site, however, are still on IE 6. Why? Because corporations don't like to perform software updates and as a rule, most of them disable the auto-update capabilities in favor of specifically timed and rolled-out releases.

Ask yourself which browser is used by corporations... I think we would all agree that it's Internet Explorer. Some simple math to demonstrate my point:
"Many corporations use IE" + "Many corporations don't use the latest software versions"
= "Many people are not using the latest version of IE"

Also conspicuously missing from the article is the issue of piracy. Users with pirated versions of XP cannot (easily) update to IE7, so it would be interesting to know how many of these vulnerable browsers can't be updated because they have failed WGA (Windows Genuine Advantage).

Finally, there is no mention of the fact that early adopters and technology enthusiasts make up a much larger percentage of the minority browsers. These are the same users that will always be quick to update their software, not just their browsers.

To me this whole article seems like some kind of stunt by Google to attack Microsoft. Everyone knows that Google backs Firefox, and I would say that this is very likely an effort to spite Microsoft. Of all the browsers mentioned, IE is by far the easiest to update, and Microsoft has gone to great lengths to make sure as many users as possible are using auto-update.

The only thing novel about this article was the idea to prominently display the number of missed updates that are currently available. This is a feature I have never seen in any piece of software, and the reason for this is probably that it increases awareness at the cost of fear-mongering.

This last point notwithstanding, this is truly unimpressive journalism, CNet. Very little substance to the article, and some obvious conflicts of interests from your primary sources.