News
ETH Zurich: Web security, More than 600 million users surf at high risk
July 2008 by ETH Zurich
Security researchers from ETH Zurich (The Swiss Federal
Institute of Technology) and Google have shown in a first-of-kind
study that more than 600 million Internet users have vulnerable Web browsers and are therefore easy targets of ‘drive-by download’ attacks.
The high download rate of the latest 3.0 version of Mozilla Firefox is on everyone’s
lips. According to ETH Zurich researchers, this is good news. The researchers
used data archived by Google’s global search and Web application
servers between January 2007 and June 2008 to examine the proliferation and
update dynamics of Web browsers around the world. Through this first-of-kind
detailed study, the number of Web browser installations globally that are insecure
due to outdated Web browser versions were able to be identified. These
installations are vulnerable to remote exploitation via popular drive-by download
attacks.
Slow reaction to latest browser version
Published today, the researchers’ paper entitled "Understanding the Web
Browser Threat" shows that as of June 2008, only 59.1% percent of Internet
users worldwide use the latest major version of their preferred Web browser.
Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the
latest version before the recently released 3.0. Only 52.5% of Microsoft Internet
Explorer users, however, employ the latest, most secure Internet Explorer 7 to
surf the Net. The study revealed that 637 million Internet users worldwide who
use Web browsers are either not running the latest version of their preferred
browser or have not installed the latest patches. These users are vulnerable to
exploitation due to their web browser’s "built-in" vulnerabilities.
„Insecurity iceberg“
The over 600 million users of outdated web browsers are only the tip of the iceberg,
says Stefan Frei of the Communications Systems Group, part of ETH Zurich’s
Computer Engineering and Networks Laboratory (TIK). The proliferation of
insecure and unpatched "plug-in" technologies increase this number further.
Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox
users were using the latest major version of the Web browser with all current
patches installed. Only 56.1% and 47.6% of Opera and Internet Explorer hosts,
respectively, were similarly utilizing fully-patched Web browsers. Apple users
are no better: since the public release of Safari 3, only 65.3% of users operate
the latest Safari version.
« Best before » dates for browsers
The study’s most important finding is that technical measures now in place do
not sufficiently guarantee browser security, and that users’ awareness must be
further developed. The problem is, the ETH Zurich researchers say, that most
users are unaware that they are not using their browser’s latest version. It must
be made clear to Web browser users that outdated software is associated with
significantly higher risk. The researchers therefore suggest that, as a critical
component of software, a “best before” date be instituted, as is done in the food
industry. Software updates must also be made easier to find. The resulting
transparency would go far in contributing to end user awareness of software
weaknesses, and allow users to better evaluate risks.
