RSSWeb browser study uses Google data to pinpoint security problems
By Jacqueline Emigh | Published July 2, 2008, 5:35 PM
Less than 60 percent of Web users are outfitted with up-to-date, fully patched browsers, according to a new, IBM co-authored research study, which relies on examinations of users' Google log records to help reach that conclusion.
Jointly produced by the Swiss Federal Institute of Technology, Google, and IBM Internet Security Services, the study places most of the blame for browser security problems on Microsoft's Internet Explorer.
A total of 52.4% of all IE users had failed to upgrade to IE7, the latest version of Microsoft's browser, according to the survey results. Moreover, merely 47.6% of IE users had all of the software upgrades and patches installed on their browsers needed for "safe" Internet surfing.
In contrast, 83.3% of Firefox users were using totally updated browsers, followed by 65.3% for Safari and 56.1% for the Opera browser.
As potential remedies for more secure browsing, the researchers suggested that all browser makers should install an auto-update feature -- already present in Firefox, for example -- and that browsers should be given expiration dates.
"The analysis presented in this paper is based on the large global user base of Google's Web search and application sites," the researchers wrote in their paper.
Google's search and Web application server log data was used to figure out which specific versions of the Firefox, Safari, and Opera browsers people were using, which include the latest point releases. IE, however, only communicates information about which major version is in place -- such as IE6 or IE7 -- to Web servers.
Consequently, to detect smaller IE browser updates, the researchers reportedly depended on data from users who had installed Secunia's Personal Software Inspector software on their PCs.
No "personal data" was collected about Google users, according to the authors. Interestingly, though, in recent months, Google has come under fire from privacy advocates who claim the company could be violating a California privacy law by failing to post a link to its privacy policy directly from the Google home page.
Accessible through a number of other methods -- such as by entering "Google privacy" on the Google search line -- this policy does state, among many other things, that when "you use Google services, our servers automatically record information that your browser sends whenever you visit a website."
These server logs "may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser," according to Google's policy statement. Google's policies around log data and personal data are different, though. According to Google, the personal information collected includes that person's e-mail address and Google search activity, for instance. Yet this personal information is collected only from users who set up Google Accounts, and users can supposedly cancel those accounts at any time.
Why did IBM pitch in on the browser research, too? Logically, IBM's interest would seem to revolve around the study's acknowledged focus on the browser as a potential vulnerability point in host-based computing. "In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts," the researchers said, in a preface to the report. "Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site."
Part of my Windows post install routine is to
uncheck IE's "automatically check ... for
updates" option.
Score: 0
Mine is the exact same way, but I surposely disable it. I personally want nothing to do with IE7. It's a matter of choice.
Score: 0
Some of these people are unable to practically update their machines. Not everyone has broadband, and some people still pay dialup by time or data transferred. This is common in the likes of Indonesia. When their download is 8k a second and they're paying for that 8k, are they really going to feel like doing 30MB+ of updates every month? And a 300MB service pack? No chance.
Score: 0
Thank you! Somebody else has realized the problem still facing some (not me btw) internet users today.
Score: 0
As well, IE7 is only available to those with a valid Windows license.
Score: 0
I guess there are allot of people using the internet who perhaps shouldn't. Explains why Norton is so popular I guess.
Score: 0
Exactly! ...and you would also probably find that these same people have never updated Windows or any other software on their machines.
Score: 0
Perhaps the internet is for all folk, some actually enjoy using it and have a life outside of posting on forums like this. You feel you are in a position to make a judgement on users who are likely to be qualified in areas that you are not. Because someone told you what a firewall was, and you read a magazine once does not give you the right to make such an arrogant statement.
Score: 0
You are as arrogant as your friend, and a very patronising fellow, did you also read a book about computers once ?
Score: 0
At the end of the day the web is people, and different sides of the web are appropriate to different people. The web is for all, however 'all' ain't necessarily the most computer literate. Its the job of certain 'others' to make sure they are protected and stay up to date...
As for Norton, lets just say I wish that the company would stop conning people into a false sense of security! What a shame.
Score: 0
I just skimmed through and looked at the pictures.
Score: 0