Security researchers have suggested that like food, browsers should have a best-before or expiry date. This comes after revealing that 637 million internet users are surfing with outdated and unpatched browsers, which puts them at risk from web-based attacks.
Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analysed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
The authors found that roughly 40 per cent of users had insecure versions of their Web browser. Among the least compliant were users of Internet Explorer, which currently dominates the market.
The data was collected in mid-June 2008. The users were scattered among 78 per cent Internet Explorer users, 16 per cent Firefox, three per cent Safari, and 0.8 per cent for Opera. Of these, 52 per cent were running the latest version of Internet Explorer, 92 per cent for Firefox, 70 per cent for Apple, and 90 per cent for Opera.
The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.
Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.
For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."
But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.
Imagine if the food industry was not accountable for selling spoiled milk.
1
andrea palazzi - 02/07/08
hello
please excuse my english, i'm italian :)
# 1 - as for browsers, 'software _vendors_' seems not to be a precise term. i bought opera 3.6 in 1999, but after that i got for free all browsers i've been using (now: ff2, opera9.5, ie7, plus one i wrote myself to have some things quicker).
# 2 - why dont cars expire? why people are not forced to do a check their cars at least once a year? here, italy, a check must be made at its 4th year, then every 2 -- do you really think driving a 10 yrs car checked 4 times is less dangerous than surfing with ie6? if so, you need a good amount of wishes :P (btw, in all situations where unsafe browsers could be a threat somehow -- financial world for instance -- i do hope there's a sw admin who looks after updates and patches).
# 3 - normally browsers are not unsafe on their own. they're unsafe because bad guys are writing traps all the time. but you translate like this: if you are driving in baghdad or kabul, ford and opel should give you armoured cars, or armour your car on their own, silently, and for free, while you're begin to plan the journey. please suggest that to ford and gm and report here their answers :P
# 4 - ie7 is a nonsensical program. mimics firefox without even getting near ff's features, and is way heavier than ie6. for many months i skipped updating, i needed ie6 for more than a reason. at last i just surrendered to wupdate's nags. and you sure know that nag messages like those you're suggesting are what most enerve any sw users. have i to remember recent apple's hidden 'update' to safari? or (no matter how you configure its start page) the fact that ie often goes to ms site when you open it (which under a proxy just hangs it and leaves my colleagues dazzled...)? you sw house please just make the program: its use, upgrading and liability for its use are and should be up to me _alone_.
# 5 - every time i happen to teach something about computers -- especially mail, the internet and the like -- i make clear that the main antivirus sw is one's brain. a few years ago i was given a scarcely powerful laptop: not to kill it, i browsed the internet 18 months with no a/v sw. no problems at all. so what?
# in the end, i fear you rather missed the target. your argument would be stronger if aimed at antivirus sw's -- most of them are sold indeed -- but they usually do upgrade themselves.
ciao, a.
andrea.palazzi@gmail.com
www.sundaysw.com
» Report offensive content
2
Chris - 02/07/08
That's a bad analogy. Software vendors don't sell expired software. It was "fresh" at the time it was sold. The food industry isn't liable when someone drinks milk that's been sitting in their refrigerator for 3 years.
» Report offensive content
3
Tim - 03/07/08
Chris, think about it. The milk has an expire date, and that's why they are not liable. If it goes bad before the date, they take responsibility for it.
Microsoft considers software expired the day it is released. They offer to check your computer any time for software they know is out of date. It is called "Support", available through Microsoft Update.
» Report offensive content
4
Jorge - 03/07/08
The analogy about vending milk would be more correct if you added "if vendors had both expired milk and fresh milk on their shelves...". Most big browser manifacturers supply updates for their software, in almost all the cases free of charge. The problem is devided in 2 areas:
1. IT people at offices don't always enforce policies for having your browser up to date.
2. People at home do not update their software, because they hear all the time that "don't trust the latest version of xxx browser" from their "IT knowlegeable" friends... (this applies more often to browsers like IE (since it is the vast majority), since Firefox users are more aware of the neccessity of updated Sw..).
I think that there should not be an option to select whether you want to update or not, just enforce update AS LONG as the Sw vendor GUARANTIES backwards compatibility.
» Report offensive content
5
Rob - 03/07/08
I'm one of the people who refuses to install IE7. I tried it on one computer and it ran a LOT slower than IE6. I'd start the browser and start typing into the address bar. Then IE7 would finally finish starting up, erase what I had typed, and load the blank start page.
IE7's UI is also drastically different from any other app on my computer. Microsoft might have been trying to provide a cleaner interface, but all they've done is make the program a lot more confusing to use.
» Report offensive content
6
Appzalien - 24/07/08
The food analogy only works if the spoiled food tastes better than the fresh genetically altered stuff. Security aside, the older, the less bloated and less a pain. I.E7 is Crap, it may be more secure but I can control WHERE I surf, but not the idiocy of the creators.
» Report offensive content