Study: 637 million Google users surfing with insecure browser

Study: 637 million Google users surfing with insecure browser

Summary: According to a new study from researchers at Google, IBM and ETH Zurich, there are about 637 million Google users surfing the Internet with a vulnerable Web browser.Using data from Google search queries and security vulnerability aggregator Secunia, the study (HTML or PDF) found that a whopping 45 percent of Google users "were not using the most secure Web browser version on any working day from January 2007 to June 2008.

SHARE:

637 million Google users surfing with insecure browserAccording to a new study from researchers at Google, IBM and ETH Zurich, there are about 637 million Google users surfing the Internet with a vulnerable Web browser.

Using data from Google search queries and security vulnerability aggregator Secunia, the study (HTML or PDF) found that a whopping 45 percent of Google users "were not using the most secure Web browser version on any working day from January 2007 to June 2008."

[ SEE: Techmeme discussion ]

The researchers used the most recent major versions of Internet Explorer 7 (IE7), Firefox 2 (FF2), Safari 3 (SF3) and Opera 9 (OP9) as the benchmark version for the most secure Web browser measurements and suggests that the auto-update mechanism in Mozilla Firefox is working well to keep users up to date.

We discovered that at most 83.3% of Firefox users, 65.3% of Safari users, 56.1% of Opera users, and 47.6% of Internet Explorer users were using the latest most secure browser version on any day between January 2007 to June 2008. For the latest version analysis of Safari, we only considered the date range Dec 2007 to June 2008, when Safari version 3 became widespread.

However, despite the single-click integrated auto-update functionality of Firefox, rather surprisingly, about 17% Firefox users (one out of six) continue to surf the Web with an outdated version of the Web browser.

The entire report is a valuable read on the state of browser security but, as Brian Krebs points out, the conclusions should be considered conservative since it does not include information on vulnerable plugins (think Flash Player, Adobe Reader, Java, QuickTime, etc).  Also, bear in mind that these numbers only represent Google users.  In China, for example, Google is the number two search provider behind Baidu, meaning that a large percentage of Web users are not included.

More from Asa Dotzler and Hackademix.

* Image source:  laihiu's Flickr photostream (Creative Commons 2.0).

Topics: Browser, Apple, Google, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • Laziness, ignorance or apathy

    I have a coworker (an IT director) that has a Windows XP
    laptop that hasn't been updated in three years. He says he's
    afraid of patching Windows XP because "something might
    break."

    Laziness, ignorance or apathy - welcome to the real world.
    It's out there in spades.

    -M
    betelgeuse68
    • Laziness, ignorance or apathy

      Like all the developers and "techies" who don't know what or how to think until a Microsoft press release tells them.
      fr0thy2
      • or perhaps just good judgement?

        It's really kinda sad that so many people (especially "professionals" or "experts") fail to grasp the difference between "risk" and "threat", and think that a known, yet very very very low risk, bug in an older tool is more of a threat than the unkown flaws in a more current tool. I don't give a rat's patootie about all those obscure threats that MS issues KB's for ... a decent firewall, AV scanner, and anti-spyware program will protect the casual web-surfer from 99.999% of all threats. This so-called "problem" of unsecure browsers is 99.999% hype.
        Gravyboat McGee
      • Pretty much describes your life...

        I feel sorry for you. But reading your comments points out how much better my life is - THANKS !
        ItsTheBottomLine
    • Try Yellow Journalism

      This is a totally misleading story. Their criteria for secure was the latest browser version and not an unpatched browser.


      If you RTFA you would see the criteria

      "For years the software industry has promoted one security best practice over all others: always use the most recent version of the installed software and instantly apply the latest patches."
      Duke E. Love
  • That bird in the active Tech Pros ad is pretty

    :-)
    fr0thy2
    • Have to take your word for it

      Ad? What ad?

      The (really, REALLY little) price one pays for running AdBlock in Firefox.
      flatliner
      • RE: Hasve to take your word for it

        Quote: [i]Ad? What ad?

        The (really, REALLY little) price one pays for running AdBlock in Firefox. [/i]

        [b]Absolutely!!!!!![/b]
        fatman65535
      • Touche!

        You got that right.

        <NT)

        ;^)
        thx-1138_
  • IE6

    There are still a great many applications out there that require IE6, making upgrading to IE7 or 8 impossible. We have users in our organization connecting to a secure app at a state office that will not move past IE6, or even consider FF or other alternatives. Banking and Real Estate are other examples of vertical markets stuck on IE6. I mention this because it is not always just that people are lazy or clueless for using an older browser as some here have alluded.
    itpro_z
    • That's sad...

      I guess some people don't realize that you can install as many browsers as you like on your system and even use more than one simultaneously. This idea that "oh, i can't upgrade because they won't let me" is crap...if you need to use old browsers with swiss cheese for security then so be it. But it doesn't mean that you can't use a modern secure browser for everything else and still keep the swiss cheese.
      eMJayy
      • True... But...

        I can see that You... Have never worked for a government. Or a company that requires "Standardization".

        You wont be installing ANYTHING on a computer. You will be lucky if you can see anything outside your profile in Documents and Settings. Wont even be able to install a local printer, change your background desktop, screen saver... Browser.... LOL.

        It is the Home User that you must be talking about. Well there you have the problem of them setting it up and not someone that knows about such things.

        If they are lucky, they will ask a knowledgeable person to help them fix the mess that they are in and if this person is nice, they will leave the PC up-to-date and secure with Auto-Updating enabled so that the Home User doesn't have to do anything to stay that way.
        dbisse
      • You have Misunderstood

        Are you really so unaware? Many computer users in the office do not even have privileges to do an install. This is because surprisingly many companies have IT departments that do not give XP users Admin privileges.

        What is more, some webapps look at the user-agent and refuse to deal with a browser they don't recognize. Sometimes this check is done so conservatively, they do not recognize a newer version of the same browser.

        Now -that- is what is sad!
        mejohnsn
        • IT departments that do not give XP users Admin privileges

          Why do you consider [b]that[/b] surprising?
          If users are given admin privileges they will install unauthorised software and thereby compromise the whole network. In the interests of network security users should be given only the most basic rights over their PCs.
          MinorityReport
        • ...surprisingly no admin privilege...

          You are joking, right?
          ...surprisingly many companies have IT departments that do not give XP users Admin privileges...
          Might as well turn on (auto) Windows update. While at it, turn off the firewalls and allow access to any/all web sites.
          Oh. Forgot about antivirus.
          What world do you live in?
          Have you ever used a "commercial" application? Have you ever tested/certified one on *any* platform?
          If you did, you would not be so cavalier about admin privileges and apps refusing to run on any old version.
          Have you ever been blown out of the water by an update? Not to mention service pack.
          I agree on one point - it's a sad world we live in, but not because of the IT lockdown. It's because of the quality of software out there, regardless of the vendor *or* platform.
          radu.m
        • Admin Privileges

          Administrator privileges are just that - privileges restricted for administrators. Common users are NOT administrators and for VERY good reason.

          IT aside, let's put this into perspective. Imagine you are your company's CFO. Now imagine that every one of your employees can see exactly how much you make. Further imagine that every one of them can make debit/credit journal entries in your accounting books. What do you get? Chaos. Disaster.

          Now you know how IT admins feel. The true sadness is in your own ignorance.
          blarman_z
  • WEB Security Appliance at the perimeter...

    For enterprises and especially Educational Institutions it is no longer a luxury not to have a Web Security Appliance at the network perimeter as exploits sometimes preceed patches.

    The best patch manamgement and mitigation can't protect all users all the time since within enterprises and institutions mission critical software requires plug-ins and/or active content.

    So while you can't mitigate the risk by disabling functionality and without something at the network perimeter to protect the users, one can simply cross their fingers and hope for the best.

    It is a sad state of affairs when the people with the money aren't convinced something is necessary until AFTER a major event has occurred no matter how one tries to sell this up the chain of command.
    dunn2
  • RE: Study: 637 million Google users surfing with insecure browser

    Any wonder why there is so many Malware/Spyware problems on PC's today?

    Google is probably #1 at sending it's users to their doom by malware websites that come up in their searches.
    dbisse
    • It's easy to avoid.

      Any search engine brings up bad sites.

      Get the free McAfee Site Advisor for Windows and Firefox.

      For Windows:
      http://www.siteadvisor.com/download/ie.html

      For Firefox:
      http://www.siteadvisor.com/download/ff.html
      Joe.Smetona
      • An alternative or complement

        (I use it as the latter) to the excellent [b]McAfee[/b] tool to which links are provided above is the [b]Netcraft Toolbar[/b] (http://toolbar.netcraft.com/), which is also available for both [b]Firefox[/b] and [b]IE[/b] builds....

        Henri
        mhenriday