A group of researchers on Tuesday said 637 million web users are surfing with outdated internet browsers and are, therefore, at greater risk of web-based attacks.
Using data collected from Google web searches and security firm Secunia, the researchers — Stefan Frei of ETH, Zurich; Thomas Dübendorfer of Google; Gunter Ollmann of IBM ISS; and Martin May of ETH, Zurich — analysed the browsers used in a report. The researchers aimed to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.
Overall, the authors found that roughly 40 percent of users were utilising insecure versions of web browsers. Among the least upgrade-compliant were users of Internet Explorer (IE), which currently dominates the internet-browser market.
The data was collected in mid-June 2008. Of the users, 78 percent employed IE, 16 percent Firefox, three percent Safari, and 0.8 percent Opera. The percentage of these users who were running the latest version of their browser was 52 percent for IE, 92 percent for Firefox, 70 percent for Safari, and 90 percent for Opera.
The authors noted that it has taken IE7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE7 or still had IE6 installed.
Some of this has to do with how the respective suppliers provide updates. IE7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE6.
The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser information.
The study made comparisons to the food industry, arguing that people understand the need to buy the safest foods, but not to use the safest version of browsers. The study asked whether internet browsers, like food, should display expiration dates. The authors provided an example of a browser that displayed in red in the upper-right-hand corner: "145 days expired, three updates missed."
However, unlike in the food industry, there is no liability for software vendors. And, the authors noted, software vendors are not legally obliged to provide software updates.