My 7/06/08 Missoulian column
Some interesting research released last week provides statistics that show almost half of the Web browsers in use on personal computers around the world are not the most recent and secure, leaving users susceptible to malware.
The study – “Understanding the Web Browser Threat” – is based on data gathered between January 2007 and this June. The resulting numbers are surprising: 637 million browsers out of an estimated 1.4 billion in use, or 45.2 percent, are an out of date version.
Web browsers are the workhorses of the Internet, and just like the operating systems they run under, security holes are regularly uncovered – either by the browser developers themselves or by developers of malware. Those problems need to be “patched” with software updates designed to close security holes.
In an ideal world, all computer users would update their software on a regular basis; in the real world, however, getting a user to update is not easy, due either to their not knowing the reason for updating, or not knowing how to set up updates for their PC or browser.
(All full operating systems ship with a Web browser: Microsoft Windows ships with Internet Explorer (either 6 or 7, depending on what version of Windows comes pre-installed); Macs ship with Safari. And there are “independent” browsers – such as Firefox and Opera – that can be installed.)
One of the reasons for the study was to determine how many Web browsers are vulnerable to malware, something that hadn’t specifically been done before. Many previous Internet security studies have concentrated on the security of Web servers – how they’re hacked and how malware is planted in them, how personal and business data is stolen – and not on the end user’s browser. The big security breaches we read about in the news are mostly related to credit card and Social Security numbers being stolen from a business or organization.
But individual Web browser users are vulnerable, too, and that’s where the developers of malware have been concentrating their efforts in recent years. Criminals have to diversify – just like any other business – so browsers have become a popular target because they’re used for online banking, shopping, collaboration on documents and more, and there is much personal data to be stolen with malware.
In 2007, Google uncovered more than 3 million malicious Web addresses, or URLs, that can compromise your computer with a “drive-by download” when viewed. An unpatched browser will download the malware unseen, infecting your computers with software that can steal personal information.
The authors of the most recent study used data on browser usage provided by Google, which records some information on each of the millions of Google searches that take place every day. (Google didn’t give away personal data for this study.) Each time a Web page is viewed, a server collects what’s called an HTTP user-agent header field, which contains bits of data on the kind of browser you are using – Internet Explorer, Safari, Firefox, etc. – and its version. That’s how they found that 637 million Web users were out of date and vulnerable to malware.
So what’s their conclusion? The authors recommend using Firefox because of its automatic update feature, which is turned on by default when Firefox is installed. Eighty-three percent of Firefox users had the latest version, compared with 47 percent of Internet Explorer users. And most Firefox users updated within three days of a new patch, compared to Internet Explorer, where Microsoft typically releases patches once a month or less.
In their recommendations, the authors of the study draw an interesting correlation between the food industry and Web browsers, suggesting that a date be displayed in the browser toolbar – something like a “best before” date on food packages – to warn of how much time has lapsed since an update and how many patches have been missed. The authors also stress that anti-phishing technology is a very good defense against malware. Such URL filtering is built into Firefox; it’s also available with Internet Explorer 7, though it isn’t on by default.
One acknowledged problem with the study is that research can’t measure the vulnerabilities of browser plug-ins, as information on them isn’t sent with HTTP headers. Plug-ins such as Flash, QuickTime and audio and video players can have security problems even in fully patched browsers.
While no one can guarantee protection against browser vulnerabilities that exploited within days of their appearance, before patches are released, the best you can do is to be sure both your operating system and browser are up to date.
For Windows computers, be sure you have Windows Update turned on. On Macs, have Software Update control panel turned on. And consider switching to Firefox for safer browsing. It will import your favorites and can exist side-by-side with other browsers. Firefox is a very good idea for Windows computers, which is where almost all malware is targeted, and for Macs, too, even with the current lack of malware out there for OS X. If you want to try Firefox, download it here.