Comments on: Study: Firefox patched quickest, IE a laggard

By: Adam

Adam — Thu, 03 Jul 2008 13:54:31 +0000

Excuse me. I meant to say “downloads and runs a trojan horse”

By: Adam

Adam — Thu, 03 Jul 2008 13:49:06 +0000

Having read the paper, I’m less impressed, although perhaps I’ll be accused of bias here, since my employer ships a web browser. Speaking for me, I’m unimpressed for two main reasons:
1) they assume that all browser insecurity is not patching. A user who browses carefully and with no script (pithhelmet, noscript, ie7pro) may not need the latest browser. In contrast, one with the latest browser who downloads and runs things is toast. Any browser, any platform.
2) They suggest a set of UI changes which are not tested or threat modeled. There are routinely attacks which show that users ignore browser chrome. If, as they suggest, web pages start telling you you’re out of date, then we train users to expect a ~~lock~~ update message in the body of pages.

By: Dan Weber

Dan Weber — Wed, 02 Jul 2008 14:08:04 +0000

auto-update of browsers seems to be a win

Firefox doesn’t auto-update between major versions. I was running a 1.5 install until recently (because it’s nice to have old browsers for web development work).
I’ve got another computer running Firefox 2 that hasn’t auto-updated to FF3, and probably never will until I do it manually.

By: Chris

Chris — Tue, 01 Jul 2008 12:29:40 +0000

A very fair point, Rob.
The Secunia “correction factor” is inelegant at best. However, w.r.t. patch latency it is cool to see some hard data on how rapidly updates are applied under different patching regimes, and the inclusion of usability suggestions is also welcome thing.

By: Robert Hensing

Robert Hensing — Tue, 01 Jul 2008 11:43:57 +0000

I question the statistical validity of using one data set to compare Opera / FireFox / Safari and another data set to compare IE. If you read the fine print – the Google logs were only used for Opera / FireFox / Safari because IE doesn’t report minor version information in the user-agent. So to compensate for that huge setback the authors used the Secunia software inspector statistics – which is a completely different and much smaller data set. It is also important to note that Mozilla stops releasing security updates for their previous major version of a product ~6 months after general availability of their current version whereas Microsoft still supports IE 5.x and 6.x with security updates making upgrading to the latest major version much less of a concern (from a security POV) for IE users. My blog here covers these points: http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-web-browser-study-full-of-fail.aspx