Network News

X My Profile
View More Activity

Safari, Opera Users Lag Behind in Security Updates

Users of the Google Chrome and Mozilla Firefox
Web browsers are far more likely to be cruising the Web with the latest, most secure versions of the browsers than users of either Opera or Safari, a study released today found.

The analysis, from researchers at Google Switzerland and the Swiss Federal Institute of Technology, pored through anonymized logs from Google's Web servers. The results were somewhat unsurprising, but still interesting: 97 percent of Chrome users were browsing with the latest version within 21 days of that version's release date.


By comparison, 85 percent of Firefox users were surfing with the latest version within three weeks of a major new release (this is a marginal improvement over the results from a similar study released last summer, which showed roughly 83 percent of Firefox users browsing with the latest version).

The study's conclusion extols the virtues of auto-update features, functionality that is built into both Chrome and Firefox, albeit in different ways. Chrome's auto-update feature can't be disabled; the browser checks for updates every five hours; and any available updates are automatically and silently installed. Firefox checks for new updates whenever the browser is started; installs updates automatically; and requires a restart for the fixes to take effect.

The study found just 53 percent of Apple Safari 3.x users had the latest version installed 21 days after its release. Apple releases patches for Safari through the Software Update feature in OS X, which checks for updates daily, weekly, or monthly, depending on the setting chosen by the user.

Only 24 percent of Opera users were browsing with the latest version three weeks after a new release, the researchers found. Opera's update mechanism has long been the most laborious of the browsers, requiring users to download a new installer program from the Opera Web site with each new version.

The study didn't attempt to measure the update frequency of Microsoft Internet Explorer users. But, a new report from Forrester Research indicates that among corporate users, IE6 is the browser of choice. Forrester found that 78 percent of businesses still use IE as the default browser, with a whopping 60 percent still using IE6.

Google may have the most protected browser users, but the company still only has about a 2 percent market share among business users, Forrester found (that number is almost certainly higher among end users).

Finally, if Chrome silently auto-updates itself, why aren't 100 percent of Chrome users browsing with the latest version? The study notes that Chrome updates only kick in after the user has restarted the browser, and there is no prompt that reminds the user to restart the program.

"Apparently, a significant population share does not restart their browser within three weeks of a new release." Read-only installs of Chrome -- such as those installed in Internet cafes or libraries -- could also explain why some Chrome users don't update, the researchers speculated.

A copy of the study is available at this link here.

By Brian Krebs  |  May 5, 2009; 4:31 PM ET
Categories:  New Patches , Safety Tips  | Tags: apple safari, google chrome, mozilla firefox, opera  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hackers Break Into Virginia Health Professions Database, Demand Ransom
Next: Windows 7 Security Fail: File Extensions Still Hidden


Will Chrome auto-update if I'm using it on a limited account?

Posted by: CynicalSteve | May 5, 2009 5:40 PM | Report abuse

"a new report from Forrester Research indicates that among corporate users, IE6 is the browser of choice. "

More like the browser of "forced to use"!

I'd rather run Firefox at work, but it's frowned-up by the LAN gnomes who extol the virtues of IE6 and the developers of our internal systems that use development tools to create internal applications that only work with IE6.

Posted by: Annorax | May 6, 2009 9:28 AM | Report abuse

We too have one corporate Web app which will run only on IE6 (not even IE7). When extended support for IE6 ends next summer, I suspect that they will be forced to rewrite it. It is a medical record charting app, which is not a good type of app to be without security updates. If there were a relatively painless way to back-install IE6, I might test it with IE8's compatibility mode; but I also figure that is their job, not mine.

Fortunately, I have the freedom to use Firefox and SeaMonkey for browsers at work when I don’t need to use the corporate apps or Microsoft ActiveX sites such as My MSN. Our firewall generally shuts off the update notifiers for Mozilla, but I usually get a reminder to do it manually at work when they launch at home.

I need to get around to trying Chrome and, when it is RTM, Safari 4. Since it is still in beta, I think it is a disservice from Apple to make users go snooping around for the production version of Safari 3 on their website.

Posted by: 54Stratocaster | May 6, 2009 3:27 PM | Report abuse

If I may be so bold, a simple browser security evaluation was done in 2005 here:

The reason I bring this up is that this evaluation showed that, yes, Opera has less updates, but also that Opera has less vulnerabilites than either IE or Firefox -- by a long shot.

It would be interesting to find out if this is still the case...

Posted by: lachelp | May 6, 2009 3:30 PM | Report abuse


The point of the study is not which browsers need more updates, but how many users are running the latest updated version 21 days after its release - in other words how much work does the software put on the end user to find out about and run the latest browser version.

Posted by: prairie_sailor | May 7, 2009 5:46 PM | Report abuse

Speaking of Chrome, which I use for Gmail, about a minute or two after being fired up it begins grinding away for what I think is a fairly long time. Process Explorer shows three Google Chrome processes active. This goes on far longer than needed for just an update check, and updates usually are not done. Sometimes Secunia PSI says that Google Gears has been updated but not always. Does anyone know what Google is up to here?

Posted by: Bartolo1 | May 8, 2009 11:41 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company