A study from the Swiss Federal Institute of Technology, Google and IBM says more than 600 million Internet browsers were at risk this year.

“Insecure Web browsers are of course a critical security problem,” the report noted. “But vulnerable plug-ins that are accessible (and exploitable) through the Web browser extend the ‘insecurity iceberg’ and form the part hidden below the water surface.”

The report says browsers need to have auto-update mechanisms that are enabled by default and that cause minimal disruption to users. Though Microsoft’s Windows auto-update service includes Internet Explorer, patches are released less frequently in comparison with Mozilla’s Firefox, which “can result in a lower short-term patching effectiveness,” it said.

Dave Marcus, McAfee’s director of security research and communications, thinks the report is on target about browser and plug-in vulnerabilities. But he added that Microsoft’s current method of conducting updates in a controlled manner makes better sense.

“I can certainly understand why they are recommending auto updates, but that’s always going to be problematic to enterprise environments, which have a lot of customized applications so you can theoretically break something,” Marcus said.

He also warned that malicious scripts are increasingly being embedded into hijacked Web sites.

McAfee’s technology “can actually evaluate pages and scan for those scripts to be sure they are not doing something they shouldn’t be doing,” Marcus said. “It stops the install of the script that the malware is attempting to push out.”

Though browsers now incorporate features that warn users when they access risky sites, such warnings depend on lists that must be continuously updated, Marcus noted. “There is a certain amount of truth to saying that they can only warn you about what they already know about,” he said.

According to the study, most users updated to a new version of Firefox within three days of a new release, so up to 83 percent of users had the most current and secure Firefox version. By contrast, only 47.6 percent of Internet Explorer users were using the latest version on any day during the first half of the year.

The researchers also called the single-click auto-update mechanism in Firefox the most efficient patching method for Web browsers. “Firefox’s mechanism regularly polls an online authority to verify whether a new version of the Web browser is available and typically prompts the user to update if a new version exists,” the report said.

Browser-update mechanisms also need to be “capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available,” it said, and here Firefox also delivers. “Firefox also checks for many of the currently installed Firefox plug-ins if they are similarly up to date, and, if not, will prompt the user to update them,” the researchers observed.

Still, one out of six Firefox users continues to surf the Web with an outdated version of the Web browser. But that is nonetheless a considerable improvement over the startling 52.4 percent of Internet Explorer users worldwide who continue to rely upon outdated versions of Microsoft’s Web browser, the report’s authors said.-News Factor Network

If you enjoyed this post, make sure you subscribe to my RSS feed