Who is using the latest web browser?
Google recently posted an article on their Online Security blog detailing how many users are using a new web browser. A new research paper entitled 'Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg"' was published revealing that as of June 2008, only 59.1% percent of Internet users worldwide use the latest major version of their preferred web browser. Google's Thomas Duebendorfer explained:
Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the latest major version before the recently released 3.0. Only 52.5% of Microsoft Internet Explorer users have updated to version 7, which is the most secure according to multiple publicly-cited Microsoft experts (among them Sandi Hardmeier). The study revealed that 637 million Internet users worldwide who use web browsers are either not running the latest version of their preferred browser or have not installed the latest patches. These users are vulnerable to exploitation due to their web browser's "built-in" vulnerabilities and the lack of more recent security mechanisms such as improved phishing protection.
In addition to being vulnerable to a slew of browser and plug-in vulnerabilities, old browsers aren't able to take advantage of new security features like EV SSL Certificates. For example, if a site uses an EV SSL Certificate, a user who uses the latest web browser will see a green address bar (or green site identification bar in the case of Firefox). This means that if they are attacked by some kind of DNS poisoning attack which makes www.google.com go to an attacker's server, the green bar will no longer show up and the user will immediately know that something is wrong. On the other hand, the user of an old browser will have no idea that they are being attacked. Tim Callan from VeriSign pointed this out in light of the recent DNS flaws that were mentioned.
What is the solution?
In order to help people become aware that they are using an old web browser, the researchers propose that the web browser clearly display a warning if the web browser is out of date like the following:
We believe that the "best before" dating concept could be built into most existing software applications, and thereby provide a convenient and persistent validation of the likely integrity of the software. For example, popular Web browsers could display a visual warning of expiry and how many patches are currently missing... Armed with more concise USER-AGENT version information, popular websites could also visually alert users (see Figure 6) to the fact that their Web browser is operating beyond its "best before" date and any missing updates (including providing shortcuts to the location of appropriate updates)
Understanding the Web browser threat - [TechZoom.net]
Originally posted on Sun Jul 20, 2008