IE Is Least-Patched Browser, Report Says
More than 40 percent of Internet surfers don't use browsers with up-to-date security patches -- and IE users are the biggest culprits.
- By Jabulani Leffall
- July 01, 2008
According to a report released on Tuesday, more than 40 percent of Internet
surfers don't use browsers with up-to-date security patches -- and Internet
Explorer users are the biggest culprits.
The report, "Understanding
the Web Browser Threat," was conducted by researchers at ETH Zurich,
Google Inc. and IBM Internet Security Services. Its main assertion is that Web
browsers -- such as IE, Firefox and Safari -- are often the weakest link in
the security configuration of a given workstation.
IE took hits throughout the report, which claimed that the gestation time between
Microsoft patch releases is too long compared to similar programs from Apple
and others. In fact, according to the report, IE came in dead last in terms
of security, with only 47.6 percent of its users having the latest security
The report's authors wrote: "Considering that Microsoft offers Internet
Explorer 7 as an auto-upgrade from Internet Explorer 6 as part of the monthly
Windows updates and that it requires a manual patch to prevent upgrading to
version 7, it is rather surprising to see how slow the migration to the most
secure version has been."
Firefox came in first place, with 83.3 percent of its users having the latest
version. Apple's Safari and the open source Opera came in second and third,
with 65.3 and 56.1 percent of its users, respectively, running the latest versions.
But, as with many such reports, there are those who were quick to question
the findings and defend Microsoft's position in the security space. In particular, Microsoft Software Security Software Engineer Robert Hensing
took issue with the way the data on IE was gathered, arguing that the method
could not have produced the results stated in the report.
"I can appreciate what [the report's authors] are trying to do -- and
I believe they were probably trying to be as un-biased and scientific as they
possibly could given the nebulous goal of the study, but it was, unfortunately,
full of fail," he wrote
in his blog on Tuesday, soon after the report's release. "What they
seem to have done is combed the Google logs looking at the user-agent strings...The
only problem? IE doesn't send minor version information, so there's no way to
determine IE patch levels from the user-agent string. Oops."
For their part, the report's authors stated that the statistics for IE 6 and 7 were gleaned using data from third-party
tools that measure Web activity.
Criticisms aside, what Tuesday's report did do -- and many studies rarely do -- is
present viable solutions to what is a clear issue regarding patch management
and enterprise security.
"Critical to this instantaneous patching process is the mechanism of auto-update,"
the report's authors wrote. "Our measurement confirmed that Web browsers
which implement an internal auto-update patching mechanism do much better in
terms of faster update adoption rates than those without."
To that end,
the authors recommended a "'best before' dating system" that
would send alerts to users near the end of the patch cycle reminding them when
to patch and -- more importantly -- if they should.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.