Bulk of browsers found to be at risk of attack
About 80% of browsers and their plug-ins need updating, says researcher
Computerworld - About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said today.
The poor state of browser patching stunned Wolfgang Kandek, chief technology officer at security risk and compliance management provider Qualys, which presented data from the company's free BrowserCheck service Wednesday at the RSA Conference in San Francisco.
"I really thought it would be lower," said Kandek of the nearly 80% of browsers that lacked one or more patches.
BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, including Adobe's Flash and Reader, Oracle's Java and Microsoft's Silverlight and Windows Media Player.
When browsers and their plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component, depending on the month. In January 2011, about 80% of the machines were vulnerable.
Even worse, about 30% of browser plug-ins are perpetually unpatched, a rate triple that of Windows. Qualys' data has shown that, on average, about 10% of all PCs never receive Microsoft's patches.
When plug-ins were excluded, browsers fared better: Only about 25% of the scanned machines had an unpatched browser on board last month.
Kandek read those results as proof that browser updates were applied more regularly by users. "The lower percentage shows that updating works pretty well for [browsers]," he said.
Unlike most plug-ins, browsers either silently self-update -- as does Google's Chrome -- or automatically check for new patches, a practice of Microsoft's Internet Explorer and Mozilla's Firefox.
The most likely plug-in to require a patch is Oracle's Java, which was outdated on more than 40% of the scanned systems. Adobe's Reader was second, with about 32% of the computers reporting a vulnerable version. Apple's QuickTime took third, with less than 25%.
Java was also in the top spot last year when Qualys unveiled statistics from BrowserCheck's first three months of operation.
"I bet that most people don't even know that they have Java, or how it installs," said Kandek. "Exploit writers have recognized that and have been adding Java exploits in their toolkits."
Although Oracle usually releases Java updates quarterly, last week it rushed out an emergency patch to quash a critical bug.
Kandek said he sees two potential solutions.
"A single updater would be the right thing [to have]," he said, referring to calls he has made before that Microsoft take responsibility for patching important third-party plug-ins.
"All the different patching mechanisms are confusing -- a bit of this and some of that," Kandek added, arguing that that is one reason why so many plug-ins go unpatched.
A second answer may come with the newest round of browsers -- such as Firefox 4, IE9 and Chrome -- that support HTML5, the Web standard that can handle the audio and video processing now done by many of the most popular plug-ins, including Flash, QuickTime and Windows Media Player.
"Moving more functionality into the browsers with HTML5 would help, because then you don't need those plug-ins," Kandek said.
He also applauded Google for updating Flash alongside Chrome, and for integrating a bare-bones HTML-based PDF viewer into its browser -- moves rivals have not mimicked.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
RSA Security Conference
- RSA: Act now on cyberwar, security experts caution
- Bulk of browsers found to be at risk of attack
- Attack mitigation tools fall short, security vendors say
- Hacked and now vandalized, HBGary pulls out of RSA
- Microsoft has a change of heart on how to keep Internet safe
- Virtualization can be key to cloud security, RSA chief says
- Tablets, smartphones force Cisco to rethink security
- iPhone security, IP route hijack prevention on tap at RSA
- RSA 2011: Cloud security challenges dominate
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Logicalis eBook: SAP HANA: The Need for Speed Without timely business insights, organizations today can suffer logistical, manufacturing, and even financial disaster in a matter of minutes
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Building Tomorrow's Infrastructure Listen to this podcast to discover how Crider Foods worked with PC Connection to update their IT infrastructure, while maintaining compliance and control. All Desktop Apps White Papers | Webcasts