The researchers who published a large study of Web browser security this week had a great idea and excellent data to work with. Too bad they overreached with their conclusions. A lot more is being made of this paper than is warranted.
The researchers, from ETH Zurich, Google and IBM, looked at log data provided by Google from their global user base for Web search and applications for the period between January 2007 and June 2008. This data was based on the browser user-agent string, which is also the reason the data is not as telling as the authors argue.
What did the study conclude? First, lots of users are not running the most up-to-date and secure versions of their Web browsers. Second, this is primarily a phenomenon of Internet Explorer users; Firefox users, on the other hand, overwhelmingly update their browsers quickly. These and other results led the authors to suggest that browsers get expiration dates, much like milk and pharmaceuticals.
It’s fair to assume that the test sample is a highly representative one, as Google is both dominant in the search business and used worldwide. I could argue that users of Microsoft’s search engine are more likely to use Internet Explorer than are Google users, but this is a small, marginal difference. The problem is not in the users, but in the user-agent string.
The user agent is a string that a browser, or “user agent” (the more general programming term for Web clients), presents to a Web server as part of a request. Click here to see your own browser’s user agent. Click here to see a database of different user agents for different browsers and other “user agents.” Servers log this data and often use it to determine which content to send to the client.
I always run both Firefox and IE7. Currently my Firefox user agent is:
“Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0“
and my ie7 user agent is:
“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; InfoPath.2; MS-RTCLM 8)“
You can see pretty easily that the Firefox one is Firefox 3.0, that it’s running on Vista set for U.S. English. 1.9 is the version of the Gecko engine and “2008052906” is the build data for that engine. In the IE7 string, we can also see that it’s Vista. The “SLCC1” is not clear but may refer to security licensing components. You get versions for .NET CLR and Media Center. I don’t know what “MS-RTC LM 8” is. [Update: Thanks to a reader at Microsoft for pointing out that “MS-RTC LM 8” refers to Live Meeting 2007.]
But note that the build data and Gecko version on Firefox give you a lot more version information about Firefox than you get about Internet Explorer. For IE, all you get is major version information, i.e. IE5, IE6, IE7, IE8. The study authors note this themselves:
The USER-AGENT header fields for Firefox, Safari, and Opera contain both major and minor version information, whereas Internet Explorer only contains the major version. Therefore, it was not possible to enumerate the patch level of Microsoft Internet Explorer using this method beyond its major release numbers.
The authors supplemented their study with data from Secunia’s Software Inspector, a tool that tracks applications on PCs and whether they are up to date with latest versions.
The Problem with the Methodology
Here’s the problem: Because they had no minor version information, the authors took the position that anyone running IE7 was running the most updated, secure IE browser, and anyone running earlier versions was not. This is even though IE6 and even IE5 are currently supported browsers and patches are being issued for them. Mozilla retires support for old versions quickly and in fact just announced that support, including security updates, for Firefox 2 would terminate by mid-December, about six months after the release of Firefox 3. Microsoft, on the other hand, has committed to maintaining support for IE5, which debuted in 2000 with Windows 2000, as long as Windows 2000 is supported (7/13/2010). Same with IE6 for as long as Windows XP (4/8/2014) and Windows Server 2003 (7/14/2015) are supported.
With Firefox, Safari and Opera, on the other hand, they were able to say that a user was running the latest patch level. In other words, they held Internet Explorer to a different standard than they did for the other browsers. This is a common error made in security analysis, and the authors make it another way in the study.
Those of you who work in corporate IT know that you don’t jump into installing new major versions of anything, especially critical applications like Web browsers. Microsoft is continuing to support IE5 on Windows 2000 because customers demand it, not because they might as well do it. They can’t unilaterally order their customers, as Mozilla and Apple do, to upgrade. Small wonder those products don’t have any significant official corporate adoption, and if they did, their policies would soon change.
I know I shouldn’t stereotype like this, but who are Firefox users? My guess is that they are largely more technical users who take an active interest in their systems and have authority over those systems. Such users are going to update when new patches come out. Corporate users don’t have the option of applying updates or installing new versions; IT does that for them.
Yet the study concludes from their numbers that Firefox’s update mechanism must be better than the competition’s because people use it. I have found the odd bug or two in Firefox’s updater, but it is very good, at least for an individual user. It’s not so good for a managed corporate network (note that there is an Active Directory-enabled version of Firefox available, customized by a third party). Perhaps the difference in adoption rates for IE major versions has nothing to do with updating mechanisms and everything to do with the choices that customers have available to them.
So if a customer chooses to run IE6 and keep it up to date with security patches, are they running the most secure browser they can? Certainly not, as the paper is correct to point out that IE7 is a much more secure browser. But Microsoft is supporting the browser and providing security updates, so running an updated IE6 is not the same as running, for instance, a version of it that hasn’t been updated in a year. The authors’ methodology also leaves them concluding that all copies of IE7, including those that have never been updated with the patches for that browser, are up to date.
Why, one might ask, does Microsoft not provide minor version information? Microsoft’s David LeBlanc answers that question in his blog by saying that they consider such information to be an “information disclosure vulnerability.” In other words, by giving a Web-based attacker precise version information, you are also giving them better information on how to attack that browser. Alun Jones challenges LeBlanc’s characterization of minor version information in this way as a comment to the blog entry, and LeBlanc responds inline. I recommend reading it all for extra credit. (Yes, there will be a test on this.)
Finally, getting back to the Secunia data, the authors’ results for that set were very different from those of the Google data:
“Secunia  identified (for the month of May 2008) that 4.4% of IE7, 8.1% of Firefox, 14.3% of Safari (Windows only), and 15.2% of Opera users have not applied the most recent security patches available to them from the software vendor. In comparison, we discovered that 16.7% of Firefox, 34.7% of Safari (all OS), and 43.9% of Opera Web browser installations (using our Web server log-based measurements) had not applied the most recent security patches. We found that our Firefox, Safari, and Opera results were higher than those of Secunia’s, differing by a factor of 2.1 (Firefox), 2.4 (Safari), and 2.9 (Opera), and attribute this difference to a probable bias for more security aware users to take advantage of Secunia’s security scanner PSI than the average global community.“
In these measurements IE7 users are much more likely to be up to date than other browser users. The authors are correct that Secunia users are more likely to be security-aware, but even when they try to adjust the numbers, multiplying the IE7 number by 2.1 “… to correct for the bias of Secunia’s measurement within a security aware user population,” IE7 still ends up looking better.
I know I would certainly like to get my hands on Google’s user-agent logs. There are plenty of great studies you can do with it, and this study could have been a lot better had they not overreached. Unfortunately, we can’t conclude a lot based on it.
Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s blog Cheap Hack.