Convenience is a Factor in Keeping Browsers Secure
February 13, 2009 Computer Safety Tip
Going through Google’s search logs reveals that end users are generally unaware to security alerts, and largely 
update to secure browser versions based on the convenience of doing so.
There have been important public debates about the morals of openly discussing unpatched vulnerabilities, and coders will happily boast about their ability to have a fix ready immediately after a vulnerability is disclosed. A new study by Swiss academics, however, suggests that much of this focus has been misdirected. They disputed that the ergonomics of the end-user’s update process has a far more significant effect on the adoption of secure web browsers than any discussion of the severity of a vulnerability.
Since many of these requests come from shared IP addresses and proxies, the authors combined them with a unique ID in Google’s PREF setting to differentiate individual end users. Although this ignores users of other search services, three of the four browsers sampled default to using Google. This could probably eliminate the most security conscious of web browsers, those searching anonymously and with cookies disabled, and those with User Agent strings that identify their browsers as something other than what they are.
Major Version Dynamics
Their survey period ran from January 2007 through April of 2008, for part of that period they only sampled three days per week, but the rest involved daily tracking. People tend to use more up-to-date browsers on the weekends than during the week, an effect the authors ascribed to browsing at work, where departmental dictates often limit the adoption of newer software. There was also a cross-browser weekend effect, as use of Firefox went up on weekends at the expense of Internet Explorer, presumably because work policy dictates the use of IE.
They also tracked the migration dynamics as end users switched to new major versions of the four browser they tracked. For IE, the switch from version 6 to 7 occurred gradually. Many computers bought near the holidays included Vista, which gave IE7 a major boost. Firefox 2 saw its biggest boost when version 1.5 was end-of-lifted, and the automatic update system switched a big chunk of its users to the 2.0 track.
Security-driven dynamics
Authors focused on Firefox and Opera to explore how security warnings and patches influence end-user adoption of minor updates. They say that these browsers are similar: they’re both free, aren’t controlled by makers of operating systems, they both include minor version information in their User Agent string, which makes it possible to track security patches. But there is one difference: Firefox has an auto-update feature built in to the browser, while Opera’s procedure is comparable to a manual download and install of a new browser.
Firefox users had minor version updates installed within three days of their release, although a weekend effect was layered on top of this. Many users didn’t update until they fired up the software at home. The newest version increased up to over 70% of the browser’s share. With Opera, it took 11 days for a new version to exceed the market share of its predecessor, and the share of the updated software never exceeded half of the browser’s total market share.
These figures – 80% for Firefox, 45% for Opera, only represent upper bounds of the users running a secure browser, as plugins create their own set of security risks. At one stage Firefox experienced a surge of an out-of-date, insecure version, which they assume occurred because a software vendor bundled it with another product.
