Report: IE is least-patched browser

According to a new report, more than 40 percent
of Internet surfers don't use browsers with up-to-date security
patches -- and Internet Explorer users are the biggest
culprits.


The report, titled "Understanding the Web Browser Threat," was
conducted by researchers at ETH Zurich, Google Inc. and IBM
Internet Security Services. Its main assertion is that Web browsers
-- such as IE, Firefox and Safari -- are often the weakest link in
the security configuration of a given workstation.


IE took hits throughout the report, which claimed that the
gestation time between Microsoft patch releases is too long
compared to similar programs from Apple and others. In fact,
according to the report, IE came in dead last in terms of security,
with only 47.6 percent of its users having the latest security
patches.


The report's authors wrote: "Considering that Microsoft offers
Internet Explorer 7 as an auto-upgrade from Internet Explorer 6 as
part of the monthly Windows updates and that it requires a manual
patch to prevent upgrading to version 7, it is rather surprising to
see how slow the migration to the most secure version has
been."


Firefox came in first place, with 83.3 percent of its users
having the latest version. Apple's Safari and the open source Opera
came in second and third, with 65.3 and 56.1 percent of its users,
respectively, running the latest versions.


But, as with many such reports, there are those who were quick
to question the findings and defend Microsoft's position in the
security space. In particular, Microsoft Software Security Software
Engineer Robert Hensing took issue with the way the data on IE was
gathered, arguing that the method could not have produced the
results stated in the report.


"I can appreciate what [the report's authors] are trying to do
-- and I believe they were probably trying to be as un-biased and
scientific as they possibly could given the nebulous goal of the
study, but it was, unfortunately, full of fail," he wrote in his blog on Tuesday, soon after the
report's release. "What they seem to have done is combed the Google
logs looking at the user-agent strings...The only problem? IE
doesn't send minor version information, so there's no way to
determine IE patch levels from the user-agent string. Oops."


For their part, the report's authors stated that the statistics
for IE 6 and 7 were gleaned using data from third-party tools that
measure Web activity.


Criticisms aside, what Tuesday's report did do -- and
many studies rarely do -- is present viable solutions to what is a
clear issue regarding patch management and enterprise security.


"Critical to this instantaneous patching process is the
mechanism of auto-update," the report's authors wrote. "Our
measurement confirmed that Web browsers which implement an internal
auto-update patching mechanism do much better in terms of faster
update adoption rates than those without."


To that end, the authors recommended a "'best before" dating
system" that would send alerts to users near the end of the patch
cycle reminding them when to patch and -- more importantly -- if
they should.



inside gcn

  • smart city (metamorworks/Shutterstock.com)

    Citizen engagement and public service in the era of the IoT

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group