Network News

X My Profile
View More Activity

Firefox Surfers More Likely Patched Than IE Users

New statistics released today indicate that people who use Mozilla's Firefox Web browser are more likely to be cruising the Web with all of the latest security updates installed than those surfing with Microsoft's Internet Explorer.

Internet Security vendor Secunia came to that conclusion by analyzing the results of some 4.9 million programs scanned by its "software inspector" -- a free tool which can scan your PC for missing security updates for about 30 of the most commonly installed desktop applications. Secunia found that 1.4 million of those applications were lacking in critical security patches released by their respective vendors.

Comparing browsers, Secunia looked at Firefox, Internet Explorer and Opera, and found that Firefox 2 was the least vulnerable, with just 5.19 percent of all Firefox 2 installations missing security updates. In contrast, the tool found that 11.96 percent of all Opera 9.x installations were missing security updates, while the numbers for IE6 and IE7 were 9.61 percent and 5.4 percent, respectively. Since Secunia's tool is designed to scan Windows applications, it did not test how many Safari Web browser users were up to date, which is too bad.

From where I sit, this research suggests two things. One, that the auto-patching component built into Firefox 2.0 is somewhat more effective than Microsoft's approach, which gives users the option to decline updates. With Firefox 2.0, new updates are automatically installed. IE patches are disseminated along with the rest of the security updates for Windows, via whatever mechanism the user has specified -- usually either automatic updates or manually.

Secondly, it appears that while Opera fans are seemingly always quick to claim that theirs is the most secure and least-attacked of the major browsers, its user base may be a bit more complacent about applying security updates.

Incidentally, Secunia's stats for Firefox users pair pretty closely with those for visitors of the Security Fix blog. According to the stats I compiled in a report for today's visitors (see the graph on the left for a detailed breakdown), slightly less than 4 percent of all visitors are coming to the site with outdated (unpatched) versions of Firefox. Our site statistics page obviously can't tell whether IE users who visit the blog are up to date on the latest patches, but overall, 70 percent of those who read Security Fix do so using IE6 or IE7, whereas roughly 25 percent drop by with some version of Firefox.

The browser debates are what really make most readers' blood boil, but another stat in the Secunia report is perhaps a bit more worrisome: The number of people who use unpatched movie and music players. Secunia found that nearly 27 percent of Winamp users were missing critical security updates, while more than 33 percent of Quicktime 7 installations were outdated.

If you haven't yet done so, take advantage of Secunia's software inspector. Then come back here and tell us how you fared.

By Brian Krebs  |  May 16, 2007; 4:16 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Tuning Up Uncle Sam's Cyber Crime Laws
Next: Scammers Target Elderly With Aid of Data Brokers


Hmmm. Can't test via Secunia's software inspector because it requires Java, which is on my software blacklist. Which, BTW, is one part of a defense in depth strategy to computer security. Keep your attack surface small and patching to a minimum.

Anyway, I suspect the slight variation between the patch levels of browsers has more to do with the type of people who use them than the actual patching mechanisms in play. Those that use Firefox, more so than IE are most likely techies that tend to understand computer security is a process, not a do it once and walk away from it kind of thing. As such, they are more thorough in ensuring the patch level of not only the browser, but also the entire system.

In the end, I always try to use this analogy to family and friends. Cars and computers need constant maintenance as well as appropriate knowledge in their use for the safest operation. To do otherwise is just ignorance! Then again, many are just that and are completely happy to go about living their lives that way.

Posted by: TJ | May 16, 2007 4:58 PM | Report abuse

Interesting that a software-security analysis program is returning so much information about users to the home company. Is that optional? Can a user tell it not to send back such information?

Posted by: Tom T. | May 16, 2007 5:10 PM | Report abuse

Tom -- It's a free tool. And it's not like it's collecting this information on the sly. To the contrary -- that's pretty much the stated intent of this program. Granted, I can't seem to find a "terms of use" page or statement as relates to their Software Inspector, but as a user I certainly wouldn't expect them to discard the aggregate data.

Posted by: Bk | May 16, 2007 5:22 PM | Report abuse

Through scan
20 Applications Detected in Total
7 Insecure Versions Detected
13 Secure Versions Detected

4 of the 7 are macro flash player in
Adobe Bridge
Adobe Help
Mozilla plug in

The others are

So, I guess I need to update all the flash players in those programs. That sucks


Posted by: HAH | May 16, 2007 6:44 PM | Report abuse

Something that may skew these results:
Windows users who use Firefox as their primary browser may have the unpatched (and unused) copy of IE that came with their operating system.

The reverse will not be true (i.e., if IE is the
primary browser, it is more likely that Firefox will simply not be present).

Therefore, we would expect an unpatched IE signal a bit higher than relevant from the browser-security point of view (although still relevant to overall security if non-browser applications are dynamically linking to IE components).

This argument does not hold if the Firefox users are also regularly applying Windows updates.

Posted by: Mark | May 16, 2007 6:45 PM | Report abuse

The Secunia programme wouldn't run. I only got a message saying there might be problems loading the Java applet in my computer. Is there a way around this?

Posted by: JB | May 16, 2007 7:00 PM | Report abuse

The issue I would have with the reporting is that it's done without encryption. See my short writeup in the Security Fix blog entry for the inspector, cited near the end of this entry.

Brian, if you have access to the Security Fix web logs, you can identify certain unpatched browsers from the User-Agent string. A little grepping, awking, sorting, and uniq-ing would get you some statistics for Security Fix readers.

Posted by: antibozo | May 16, 2007 7:25 PM | Report abuse

I'll suggest another potential cause for why the IE instances are not as current. For Firefox 2, there have been, what, 3 updates? Not real hard to be current. How many updates for IE6? 30? 40? 50? Pretty easy to not be current, even if some of those are actually cumulative updates...

In any case, interesting info, thanks!

Posted by: scottr | May 16, 2007 9:37 PM | Report abuse

""Hmmm. Can't test via Secunia's software inspector because it requires Java, which is on my software blacklist.""

same problem here :)

Posted by: bsd | May 16, 2007 10:10 PM | Report abuse

I turned on Java to run the scan. It found several old unpatched copies of Sun Java along with the acceptable latest version. How do I (and may I safely) delete those older versions? The same question for Adobe Flash and Adobe Reader 5. May I safely remove those older programs?

Is there a webpage with step by step directions?

How frustrating that the auto updates for those programs did not clean up.

Posted by: Rosie Win | May 16, 2007 10:54 PM | Report abuse

@Rosie Win

Ah, you've hit some pain points of why I refuse to use Java, or Adobe Reader. Anyway, these should point you in the right direction:

Can I remove older versions of the JRE after installing a newer version?

How to uninstall the Adobe Flash Player

And regarding Adobe Reader, I recommend a lightweight replacement called Foxit Reader instead. Test it out, if you like it, uninstall all versions of the bloated Adobe Reader.

Posted by: TJ | May 17, 2007 12:26 AM | Report abuse

I hesitate to update QuickTime because it throws icons all over my desktop despite my previous settings.

Posted by: JL | May 17, 2007 1:06 AM | Report abuse

On my Vista system with Data Execution Prevention enabled I found Secunia's Software Inspector caused and exception. I never think it is a good idea to lower protection just to get something (possibly poorly designed) to run.

Posted by: Steve | May 17, 2007 1:22 AM | Report abuse

How many Firefox 1.5 users are there in the sample? It's easy to say that Firefox2 is up to date, haha, but that's not the same as saying Firefox users are all up to date.

Posted by: Adam | May 17, 2007 1:41 AM | Report abuse

@ Steve:

All time statistics (recommended) as at time of writing this comment:

Firefox 1.x = 38.33% insecure
Firefox 2.x = 5.06% insecure

IE6 = 10.01% insecure
IE7 = 5.85% insecure

Opera 7 = 90.94% insecure
Opera 8 = 98.91% insecure
Opera 9 = 12.12% insecure

Posted by: Sam Spade | May 17, 2007 6:25 AM | Report abuse

Disabling Java on your PC is just silly. You'd be far more secure disabling Windows altogether. That said, I believe the Opera figures could be affected by people who download it out of curiosity, use it a little bit, then go back to using whatever other browser they prefer. I know that was my reaction, I went back to Firefox on Windows, Safari on Mac.

Posted by: Babo | May 17, 2007 6:29 AM | Report abuse

I ran the test and all but one of the installed applications on my machine are fully patched.

Older verions Flash still installed were the only that were unpatched. I think I'll uninstall all of the Flash versions I have and download the latest (v.9)

Posted by: Security Fix reader | May 17, 2007 11:43 AM | Report abuse

When BK (or someone) mentioned Secunia a few months ago, I used it on all our machines here. Yeah, I also did not have Java installed, but I do now. I never been a big Windows fan, so most of the players and flash versions that were outdated I had simply never used.

It would really be nice once a company realizes it needs a security patch, or a whole new version, to simply remove the old version as part of the update process. I mean how secure are we once we get the patch or upgrade but the older, problematic version still remains.

I think Secunia is a good tool to use occasionally cause you never know what Windows is doing, or downloading, or processing, or...

Posted by: umm.huh | May 17, 2007 1:33 PM | Report abuse

@ TJ

Thanks for the links. I have installed Foxit Reader and so far so good. I'll give it a week and then probably uninstall Adobe.

Posted by: Rosie Win | May 17, 2007 1:50 PM | Report abuse

My Quicktime and Flashplayer flunked the test. Otherwise my browsers were fine. For those who don't use Java I would like to suggest the NoScript plugin for Firefox. It disables Java for all websites unless you select otherwise. You can pick permanent for one-time use. You can even partially enable for a particular page.

Posted by: Mal | May 17, 2007 5:04 PM | Report abuse

Instead of using QuickTime and Real Player, try QuickTime Alternative and Real Alternative. Those have a lot less circusware and all the same functionality.

Posted by: Matt | May 18, 2007 10:40 AM | Report abuse

Brian -- can you compare the scores for Security Fix blog readers to the scores for Washington Post on-line (i.e. homepage) readers? The question I have about the statistics for the blog or for Secunia is the degree that (presumably) security-conscious folks differ from the broader population. Presumably you'd have to have some interest in computer security in the first place to visit their site or this blog. How representative are these of the internet population? What does the non-security blog reading world look like? Thanks.

Posted by: Towson | May 18, 2007 5:07 PM | Report abuse

Secunia prompted an instant update of my Java, then showed three flash players outdated and insecure.
When I went on to update at the recommended site through Secunia's link, there was an even newer version than they had recommended, all to the good, tnx.
Surprisingly, the new flash player eliminated all the old, insecure ones.
Not surprisingly, I had to manually remove the older Java program.
Have re-bookmarked the Secunia site.

Posted by: dijit44 | May 19, 2007 12:37 PM | Report abuse

Secunia indicated that an insecure Macromedia Flash Player was installed. However, from the "Control Panel / Add or Remove Programs" menu, no flash player was installed. But binaries for a Flash Player were still in the System32 folder. Can a web page still execute a Flash Player even if it is not listed under the installed programs? As far as I know, the Firefox browser doesn't find the Flash Player binary, but is there another way for a web page to access the old binary?

Posted by: Michael | May 30, 2007 6:48 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company