July 1, 2008

staying up to date and secure online

Brian Krebs, over at the Washington Post, has a great article up on the recently released study by IBM, Google and Communication Systems Group, which finds that Firefox users are far and away the most up to date users on the Web.

"83.3 percent of Firefox users were found to have the latest version installed at any given time. That's notably more than Web surfers using the latest versions of Safari (65.3 percent), and Opera (56.1 percent). "

Wow. That's a pretty stark difference. I'm not surprised to see Opera so low, considering their lack of a simple and efficient update mechanism, (something I've written about in the past,) but I am surprised that more than one third of Safari users weren't on the latest release given that Apple does have that simple update mechanism as part of its operating system. I suppose that some of Apple's problem could be that it unsupports older versions of OSX rather quickly and so there may be some decent number of people running OSX versions that simply cannot run the latest and safest software.

The report is pretty clear on the state of software updaters, saying, "We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied,"

The I.E. data is a bit less concerning to me because Microsoft continues to provide security updates for I.E. 6, making it less concerning that users update to I.E. 7. Still, with I.E. 7, users do get added protections both in terms of security architecture and user-facing security features, so Microsoft shouldn't be let off the hook for not moving more of its users forward. I do wonder, if like I speculated for Apple, Microsoft still has any significant number of users on pre-SP SP2 systems that simply cannot run I.E. 7.

My take-away from this is that we're doing a pretty good job, certainly with room for improvement, of keeping Firefox users up to date. Safari is the big let-down given their built in system for updating their users, and Opera remains the lone browser maker that puts dozens of nice-to-have features above the basic security needs of its users. As I said in January of 2007," Opera Software should not ship another major release until they have a similar [automatic update] program in place." Unfortunately for their users, Opera has shipped two major feature updates since, and there's still no sign of an automatic update system for their desktop users.

Security is a process. That process includes the effort an organization puts into developing a software architecture that's secure from the ground up, extensive code reviews to prevent security bugs from creeping in, thorough security auditing, both blackbox and whitebox security testing, fix responsiveness to security issues as they become known, and fast and easy deployment to their users. At Mozilla, all of that is available for the world to see and the results are solid. At the other browser companies, it's only that final step that's available to see and if the other vendors are falling down on that one, who knows what else they're dropping on the floor behind closed doors.

Posted by asa at 6:34 AM