80% of Browsers Found To Be At Risk of Attack

CWmike writes "About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits of already-patched bugs, a security expert said Thursday. The poor state of browser patching stunned Wolfgang Kandek, CTO of Qualys, which presented data from the company's free BrowserCheck service Wednesday at RSA. 'I really thought it would be lower,' Kandek said. BrowserCheck scans Windows, Mac and Linux machines for vulnerable browsers, as well as up to 18 browser plug-ins, from Adobe's Flash to Windows Media Player. When browsers and plug-ins are tabulated together, between 90% and 65% of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of-date component. In January 2011, about 80% of the machines were vulnerable. The most likely plug-in to require a patch: same as last year, Oracle's Java."

Slashvertisement

[suso]

Not getting enough hits? Slashvertisement can work for your company too. Call today!

Re:Slashvertisement

[tgeller]

That's exactly what I thought. "Company A announced Company A's findings using Company A's nifty new tool. Try Company A's tool for yourself!" There may be valuable information here. Without independent third-party review, we don't know.

I would have thought this closer to 100%

[mswhippingboy]

Since new exploits are identified each day.

Re:I would have thought this closer to 100%

[SudoGhost]

I would have thought it closer to 100% since about 100% of browsers are used by people, which are the biggest security flaws in any system.

Re:I would have thought this closer to 100%

[Kenja]

Lynx is still pretty safe!

Re:I would have thought this closer to 100%

[Skarecrow77]

My wife has a shirt that says "Social engineering" on the front, and on the back it says "Because there is no patch for human stupidity".

My wife is awesome.

Re:I would have thought this closer to 100%

[VGPowerlord]

I'm one of those who doesn't do updates. Mainly because I've read too many horror stories of updates making computers unbootable, or breaking the software, or whatever.

Instead I wait a month-or-so until I'm sure there's no negative outcomes being reported by the press.

I wasn't aware that the Commodore 64 had updates.

Isn't that?

[Wolvenhaven]

The exact percentage of IE marketshare?

Uhmm NO

[Monty845]

So first I needed to enable javascript for the site. Now it wants me to allow some random website to install a plugin so that it can tell me if my security is up to date... yeah if it can't detect a security vulnerability without me going through a bunch of hoops and ALLOWING it to install on my system, I'm going with the whole thing is BS.

Self-selecting for failure

[RobertB-DC]

So eight out of 10 browsers running the test failed it? That's not terribly surprising, since I have to install a plugin to run the test.

I don't know Qualys from Quantas, so I'm highly unlikely to install their plugin just to find out whether my browser has vulnerabilities. In fact, I'm not terribly likely to install any plugins at all (though I'm enjoying Ghostery immensely).

Now, let's assume for a moment that I'm the type to install any plugin that asks nicely and looks shiny. Gee, is it any surprise that Qualys' plugin isn't the first one I've accepted? And is it any surprise that I've got other issues?

This test suffers from a terrible self-selection bias. Those most likely to take the "test" are the ones most likely to fail it.

Updating Java

Perhaps people would be more keen to update their Java version if the installer didn't keep trying to spring a surprise 'Install Yahoo! Toolbar' move on them on EVERY patch.

Java, obvious

[Bobfrankly1]

The most likely plug-in to require a patch: same as last year, Oracle's Java."

Of course, this has nothing to do with the fact that new versions of Java tend to break existing java based applications and utilities. You can use the new version of Java, or you can use the older one that works with your mission critical enterprise tools.

Re:Java, obvious

[mswhippingboy]

While I don't doubt the sincerity of your post, I certainly have had a different experience. I've been working with Java in large enterprise settings for over 15 years, with hundreds of stand-alone and web applications and I can't think of a single instance where upgrading to a newer version of Java caused an existing application to break. I know of one recent upgrade that broke Eclipse, but it was quickly regressed and the problem was really in Eclipse, not Java.

I guess I've just been lucky.

Re:Plug-ins Bad. Here's ours

[bunratty]

You can use Mozilla's Plugin Check. No installation required.

Not even remotely surprised

[jimicus]

I've been saying this for some time: Windows (and to a lesser extent OS X) needs an API so updates are centralised, configured and installed from a single interface.

OS X has the app store. Linux distributions have repositories. Both of these solve this problem very neatly, and it's a lot easier to keep everything up to date. But I don't think centralised distribution is necessary - just an API call so you can say to the operating system "this is the name of the application, this is an RSS feed where updates are published, this is the key with which updates will be signed, this is how frequently you should check for updates" would probably solve most of the problems.

The mess we have right now is the reason why there is always something on a PC that needs updating.

Re:Java?!?!?

[mswhippingboy]

Java was supposed to run in its own sandbox and therefore wouldn't be a security issue according to the original SUN PR bullshit.

This is actually true. However, when user just mindlessly click through the security dialog on unsigned applets that warn that resources outside the sandbox may be accessed it defeats the whole sandbox protection mechanism.

I guess it gets back to the old adage "Make it foolproof and only a fool will use it.".