Older Versions Of Firefox, IE Put 45% Of All Internet Users At Risk

Firefox 2 is considered to be the most secure Web browser because 83.3% of its users worldwide are running the most current version.
Computer security researchers from ETH Zurich, Google, and IBM believe computer software would be more secure if, like a perishable food product, it were labeled with an expiration date.

In a newly published paper, Stefan Frei and Martin May of the Computer Engineering and Networks Laboratory at ETH Zurich, Thomas Dubendorfer of Google Switzerland, and Gunter Ollmann of IBM Internet Security Systems make this recommendation because they found that 637 million (45.2%) out of 1.4 billion Internet users worldwide are at risk from their failure to use the latest, most secure version of their chosen Internet browsers.

"Given the state of the software industry and the growing threat of exploitable vulnerabilities within all applications (not just Web browsers), we believe that the establishment of a 'best before' date for all new software releases could prove an invaluable means to educating the user to patch or 'refresh' their software applications," the paper says. "The same 'best before' date information could also be leveraged by Internet businesses to help evaluate or mitigate the risk of customers who are using out of date software and are consequently at a higher risk of having been compromised."

The issue of browser security matters more these days because more and more malware is targeting Web browser vulnerabilities. Remotely exploitable vulnerabilities have been on the rise since 2000 and accounted for 89.4% of vulnerabilities reported in 2007, according to the study, which claims that "[a] growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers."

Among the various Web browsers studied -- Internet Explorer 7, Firefox 2, Safari 3, and Opera 9 -- Firefox 2 is the most secure, according to the study.

Firefox 2 is considered to be the most secure Web browser because 83.3% of its users worldwide are running the most current version. Second, third, and fourth places go to Apple Safari 3 (65.3% of users running the most current version), Opera 9 (56.1%), and Microsoft Internet Explorer 7 (47.6%).

"It is noteworthy that it has taken 19 months since the initial general availability of IE7 (public release October 2006) to reach 52.5% proliferation amongst users that navigate the Internet with Microsoft's Web browser," the paper says. "Meanwhile, 92.2% of Firefox users have migrated to FF2."

The paper also observes that within three months of the release of Apple's Safari 3 browser, 60% of users had upgraded, likely because of "Apple's controversial inclusion of the new Web browser in the auto-updates of other popular Apple software products." In March, Mozilla CEO John Lilly said Apple's decision to make its Safari Web browser available to Windows users by default "borders on malware distribution practices."

The researchers define the most secure Web browser as "the latest official public release of a vendor's Web browser at a given date." This definition, which excludes beta versions, assumes that the risk of encountering malware that could compromise one's browser is the same regardless of browser market share.

In reality, users of Internet Explorer (78.3% worldwide market share average between February and June 2008) will probably encounter more malware than users of Opera (0.8% worldwide market share during the same period). This is because malware writers tend to target exploit attempts at the widest possible audience.

However, browser brand doesn't tell the whole story since browsers rely on common technology like Adobe Flash, which has had, and continued to have, its share of vulnerabilities. Along similar lines, the study cites research by computer security firm Secunia that indicates some 21.7% of all QuickTime 7 installations are out of date. Thus, having the most current version of one's favorite Web browser may not help if one's other software is outdated.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing