Internet Users Not Updating Browser

Jackson writes "Security researchers from ETH Zurich, Google, and IBM Internet Security Systems have shown that more than 600 million Internet users don't use the latest version of their browser. The researchers' paper, shows that as of June 2008, only 59.1 percent of Internet users worldwide use the latest major version of their preferred web browser. Suggestions have also been made to inform users that their browser is out of date."

So a better title would be..

[arkham6]

40 percent of internet users are not updating their browser.

And these same users are probably happily using windows 98 on their Pentium II's, and don't give a damn about having the most shiny, newest toy.

Maybe they *can't* upgrade

[Scutter]

Large numbers of corporate users are at the mercy of the IT department's update/upgrade schedule. In my environment, there are a large number of applications that will break if IE7 is installed, and the schedule to update and test those dependencies is lengthy.

Furthermore, we've spent so much time training users to ignore messages that say "Your $FOO is out of date! Click here to install the latest version because it's almost always malware, and now you want to turn around and do the exact opposite?

Re:Maybe they *can't* upgrade

I second that.

I work as a developer for a fairly large industrial company and we're mainly using Microsoft products. We have a lot of in house developed software to support the manufacturing process (post processors, automated bits for CAD/CAM systems etc). Being one of the developers in the company, I get to update and test new versions of IE and windows before being rolled out to the thousands of regular users.

Almost every time a new windows patch or IE version hits the street, some of our applications break, and quite a lot of these applications are essential to our business, and I'm not talking about essential to the guys sitting in the offices doing powerpoints all day. I'm talking about applications generating the data used to actually manufacture the products we sell.

The cost of testing and maintaining software has been rising steadily. The problem is that software creators rather see us footing the cost than making software that isn't fundamentally flawed from a security point of view.

-- Lars

Re:Maybe they *can't* upgrade

[Scutter]

Wait, your server is so bad that is crashes when it's accessed by Firefox?! And you're blaming FIREFOX for that?!!

Re:Maybe they *can't* upgrade

[gad_zuki!]

No thats the failing of an admin too. A lot of this stuff can be traced with filemon and other tools. Then just update GPO to give them whatever rights they need. Then bug your vendor so they sell you software that fits your security model.

Firefox vs. IE

[Puls4r]

Firefox already automatically updates.

If you have automatic updates turned on in Windows, they automatically update as well.

However, most people I know turn off automatic updates because it can be so obnoxious. Many folks also disable the BITS service because of the process overhead it chews up.

It's the difference between being a virtually seamless integration (like Firefox) or an overly-obtrusive integration that eats up system resources.

For instance - firefox tells you when you go to close the program that there are updates ready. Microsoft pops a little icon that #1 interrupts what you are doing #2 may very well crash the machine or lock it up if it happens while you're playing a game, etc. Remember that letter Gates sent about usability? It's the key in this case, I think.

I also wonder if this took business users into account - I can't update because my IT department won't let me. I doubt that would be different if we were using Firefox or Opera rather than IE.

Only 59.1%?

[4D6963]

Only 59.1% of users are up-to-date? I guess the submitter is the kind who sees the glass 40.9% empty.

No point in updating IE6

[Blindman]

In the case of Internet Explorer 7, there are reasons not to upgrade to it over version 6. I use IE6 only for the websites that don't work properly in Firefox and I am not interested in the additional integration that IE7 provides. A person concerned with security wouldn't use an integrated browser in the first place.

By the way, Microsoft does remind me that IE6 is out of date every chance that it gets.

Re:No point in updating IE6

[ErikZ]

Please, for the love of all that's holy, upgrade to IE7.

Once IE6 installations get down below a certain point, we won't have to spend crazy amounts of time rewriting web pages so they *also* work in IE6.

Any idea...

[cvd6262]

How many FF2 users just hate "AwsomeBar"?

Last I checked, FF2 security updates were still being pushed automatically, so what's the big deal about using 2.x over 3.0?

Re:Any idea...

[spyrochaete]

I love the Awesome Bar. I'll often want to visit a site I saw the other day but all I can remember is part of one word of the site title. That's all I need in FF3 - I just type in the partial name and the correct site is usually the top result. Now, instead of clicking my bookmarks, I just type one or two letters in the address bar and if the intended site isn't the top result this time it will be next time.

Awesome Bar was a feature I wasn't even aware of until FF3 went gold, but it was as appreciated and innovative as it was unexpected. Words are for people, DNS names are for computers.

Browsers at work

[rdev]

What about your browsers that are provided by your IT department of your company?

I work in pretty large company and our IT dept. have disabled auto-updates from XP, Firefox and so on. Then they push updates to users when needed.

Above works fine in my company, but what about those companies with similar policies and non-existing or incompetent IT department? Browsing tubes all day long with old versions.

Do they count IE 6.latest or FoxPro 2.latest?

[davidwr]

If they say "IE 6.latest" or "Foxpro 2.latest" doesn't count as "latest" and those versions have no known unpatched vulnerabilities not shared by IE 7.latest or Foxpro 3.latest then they aren't counting properly.

There are good reasons not to do a major version upgrade the first few months it is out, but a prerequisite is that your existing browser continue to get security patches.

Re:Do they count IE 6.latest or FoxPro 2.latest?

[Waffle+Iron]

If they say "IE 6.latest" or "Foxpro 2.latest" doesn't count as "latest" and those versions have no known unpatched vulnerabilities not shared by IE 7.latest or Foxpro 3.latest then they aren't counting properly.

I agree. dBASE III works just fine for me, and I see no reason to update to dBASE IV when Ashton Tate currently provides the same level of support for both.

Re:What do you expect?

[Otter]

Fortunately for us, people like you are willing to deal with your house exploding while the rest of us use candles for a few months more while the bugs in gas lighting are being sorted out. Having the latest 1337 illumination technology is more important to you than it is to us, so it's a win-win situation.

no Firefox-3.x

[FudRucker]

how I use web browsers is:

Firefox-2.0.0.16 with NoScript and without any plugins - for general purpose web browsing...

Seamonkey-1.1.11 with all the plugins, flash, java & mplayerplug-in - used only at trusted websites and only when there is media I want to see (used rarely) and Seamonkey for email too (I dont like thunderbird enough to use it)...

I don't really like Firefox-3.x because of the way it is being developed which is starting to look like feature creep is going to bloat it up, I would like to see it forked and have the fat trimmed off of it more, make it like dillo only better, if I was a clever code monkey genius I would grab the source for Firefox-3.x and fork it myself and trim it down to something like Firefox-1.x or 2.x (or a little leaner)...

Re:How many are IE6?

[thatskinnyguy]

Even if you do not explicitly use Internet Explorer for browsing, you should upgrade it as it is a core part of the Windows Kernel.

That is another part about IE that I have issues with. Why make a web browser part of the OS? It makes very little sense. It should, at most, be a bloated application that I could uninstall at whim. But no! It has to totally screw with everything else. As it is now, I specify Firefox as the default browser and disable access to IE. It doesn't matter which version of IE, I'm still not using it.

Not that I recommend Norton products, still...

Thanks to a run-in with their overly-aggressive virus scanning process (that can't be turned off) I no longer use Norton home products. Their corporate/enterprise software that I use at work is waaaaaay better.

If it works?

[rotide]

For most "grandmothers" and other non-technically inclined users, why upgrade? Heck, I'd wager most don't even know there is an update, or that you should be updating. Only those that know the technology and the potential risks will care to keep things up to date. And even then, I rarely update, but then again, I routinely format my windows boxes due to all the other issues that come up.

Conclusions? The (not actually) hidden message?

[paradeiser]

So people don't really care so much about all those new features that make the new generation browser deliver the best internet browsing experience ever. Does this tell us something about product management? Software development?

I am not going to upgrade to Fire Fox 3

[diskofish]

Seems like when a new Fire Fox browser gets "released" there are still some rather annoying bugs. I usually wait about six months for the main bugs to be worked out before I upgrade.

Upgrades are not free

[Estragon]

Users with broadband connections are under the misimpression that upgrades are free and that everyone should do them. Some of us are still stuck in dialup hell, and downloading an upgrade costs a lot of time. And besides, the old software is perfectly adequate.

Opera users have upgraded, then reverted to 9.27

[QuietLagoon]

Opera 9.51 (and the 9.52 beta) just does not work well enough for every day use. If you read the Opera news groups, you will see that Opera users are reverting to 9.27.

Re:How many of those users CAN upgrade?

[Minwee]

Exactly. FF2 is still current, and is still preferable to FF3 in some cases. I could argue that anyone not running a nightly build from CVS isn't running the newest/latest, but that would just be silly.

Firefox 2.0 is just as current as 3.0, and will be until the end of this year. Anyone who says differently is selling something.

Update? Really?

Most people simply don't care.

I am quite sick of having $FOO need updated, upgraded, renewed and/or replaced because it is no longer supported.

The "browser" should not *have* to be replaced for relatively _long_ periods. Security and Critical (and I mean this in the tightest of interpretations) should be invisible, seamless, and automatic by default, something like some browsers have already. Further, a feature upgrade channel should be defined and configurable that would again be user configurable.

Bottom line, browsers are being pushed out too often. Most people just want it to work, period, and any upgrades updates features plug-ins etc etc etc are more a hassle than anything else.

One more thing; resources.
The browser (when using less than an average multi-task load of 4-6 windows or 4-6 tabs) should not use excessive system resources. Excessive is more than 10-14%, based again on 4-6 items running and not exceeding this limitation.

Re:How many of those users CAN upgrade?

[mixmatch]

The largest operating system security problem is lack of separation between the ordinary user and administrator account. Linux has had that for a considerable time, which explains the low quantity of malware attacks. "Meager market share" does not explain this phenomenon because Linux is strong in the server market, making it more lucrative to exploit because of increased computing power, bandwidth and sensitive client/business information.

Re:How many of those users CAN upgrade?

Am I missing something or why couldn't this be done with virtual machines instead of relying on fundamentally broken and unsupported software?

Re:Why *should* people update?

[the_other_chewey]

...and when Firefox 5 is out, people will say the same about Firefox 3 users. "OMG security vulnerabilities have fun browsing on your sieve."
People said the same thing about 1 vs 1.5 as well. You HAVE to upgrade to 1.5 because it's the secure version and it doesn't have all those security holes.
What's the difference?

Is that a serious question?
Did you look at the links I gave?

Time is the difference. Those lists list known vulnerabilities. They are in those versions of Firefox, and some are actively exploited by malicious websites, right now.
Those lists get longer with time due to exposure of the software to a curious public. I can guarantee you that a lot of the unknown vulnerabilities in Firefox 3 will have become
very well known ones by the time Firefox 5 will be out.

That's what emulators are for.

[tepples]

Someone whose business applications only run on Windows 95/98 or ME

...can run existing Windows 95/98 or ME licenses in a virtual machine.

Re:How many of those users CAN upgrade?

[Fujisawa+Sensei]

While Firefox 3 chose to abandon Windows 95 compatibility, Firefox 2 is still being patched and maintained. Unlike the IE6 users of Windows 95, who no longer get MS patches.

If you're running an OS thats 13 years old, you have much bigger issues than running the latest web browser.

Join the TNAA!!!

Do you hate twitter? Do you loath Slashdot? Are you a total fuckwad? Then join the Twitter Negation Association of America (TNAA) and help ruin Slashdot. How does it work? Easy:

• Accuse everone of being twitter. Did they say "M$" or "Windoze"? It's gotta be twitter.
• Sign up lots of accounts to accuse twitter of the same. Hypocrisy? No, Genius! Be sure to mod up anything derogatory and genreally midless.
• Be an ass. This should come naturally.

The point is to increase noise to signal ratios. Join today!