News

IE Is Least-Patched Browser, Report Says

More than 40 percent of Internet surfers don't use browsers with up-to-date security patches -- and IE users are the biggest culprits.

• By Jabulani Leffall
• July 1, 2008

The report, "Understanding the Web Browser Threat," was conducted by researchers at ETH Zurich, Google Inc. and IBM Internet Security Services. Its main assertion is that Web browsers -- such as IE, Firefox and Safari -- are often the weakest link in the security configuration of a given workstation.

IE took hits throughout the report, which claimed that the gestation time between Microsoft patch releases is too long compared to similar programs from Apple and others. In fact, according to the report, IE came in dead last in terms of security, with only 47.6 percent of its users having the latest security patches.

The report's authors wrote: "Considering that Microsoft offers Internet Explorer 7 as an auto-upgrade from Internet Explorer 6 as part of the monthly Windows updates and that it requires a manual patch to prevent upgrading to version 7, it is rather surprising to see how slow the migration to the most secure version has been."

Firefox came in first place, with 83.3 percent of its users having the latest version. Apple's Safari and the open source Opera came in second and third, with 65.3 and 56.1 percent of its users, respectively, running the latest versions.

But, as with many such reports, there are those who were quick to question the findings and defend Microsoft's position in the security space. In particular, Microsoft Software Security Software Engineer Robert Hensing took issue with the way the data on IE was gathered, arguing that the method could not have produced the results stated in the report.

"I can appreciate what [the report's authors] are trying to do -- and I believe they were probably trying to be as un-biased and scientific as they possibly could given the nebulous goal of the study, but it was, unfortunately, full of fail," he wrote in his blog on Tuesday, soon after the report's release. "What they seem to have done is combed the Google logs looking at the user-agent strings...The only problem? IE doesn't send minor version information, so there's no way to determine IE patch levels from the user-agent string. Oops."

For their part, the report's authors stated that the statistics for IE 6 and 7 were gleaned using data from third-party tools that measure Web activity.

Criticisms aside, what Tuesday's report did do -- and many studies rarely do -- is present viable solutions to what is a clear issue regarding patch management and enterprise security.

"Critical to this instantaneous patching process is the mechanism of auto-update," the report's authors wrote. "Our measurement confirmed that Web browsers which implement an internal auto-update patching mechanism do much better in terms of faster update adoption rates than those without."

To that end, the authors recommended a "'best before' dating system" that would send alerts to users near the end of the patch cycle reminding them when to patch and -- more importantly -- if they should.