Bulk of browsers found to be at risk of attack | Browsers & Add-Ons | Macworld
About eight out of every 10 Web browsers run by consumers are vulnerable to attack by exploits
of already-patched bugs, a security expert said today.
The poor state of browser patching stunned Wolfgang Kandek, CTO of security risk and compliance management provider Qualys, which presented data from the companyʼs free BrowserCheck service Wednesday at the RSA Conference in San Francisco
“I really thought it would be lower,” said Kandek of the nearly 80 percent of browsers that lacked one or more patches.
to 18 browser plug-ins, including Adobeʼs Flash and Reader, Oracleʼs Java and Microsoftʼs Silverlight and Windows Media Player.
When browsers and their plug-ins are tabulated together, between 90 percent and 65 percent of all consumer systems scanned with BrowserCheck since June 2010 reported at least one out-of- date component, depending on the month. In January 2011, about 80 percent of the machines were vulnerable.
Even worse, about 30 percent of browser plug-ins are perpetually unpatched, a rate triple that of Windows, where Qualysʼ data has shown that, on average, about 10 percent of all PCs never receive Microsoftʼs patches.
When plug-ins were excluded, browsers fared better: Only about 25 percent of the scanned machines had an unpatched browser on board last month.
Kandek read those results as proof that browser updates were applied more regularly by users. “The lower percentage shows that updating works pretty well for [browsers],” he said.
Unlike most plug-ins, browsers either silently self update — as does Googleʼs Chrome—or automatically check for new patches, a practice of Microsoftʼs Internet Explorer (IE) and Mozillaʼs Firefox.
The most likely plug-in to require a patch is Oracleʼs Java, which was outdated on more than 40 percent of the scanned systems. Adobeʼs Reader was second, with about 32 percent of the computers reporting a vulnerable version. Appleʼs QuickTime took third, with less than 25%.
Java was also in the top spotlast year when Qualys unveiled statistics from BrowserCheckʼs first three months of operation.
“I bet that most people donʼt even know that they have Java, or how it installs,” said Kandek. “Exploit writers have recognized that, and have been adding Java exploits in their toolkits.”
Although Oracle usually releases Java updates quarterly, last week it rushed out an emergency patch to quash a critical bug.
Kandek said he sees two solutions.
“A single updater would be the right thing [to have],” he said, referring to calls heʼs made before that Microsoft take on the responsibility for patching important third-party plug-ins.
“All the different patching mechanisms are confusing, a bit of this and some of that,” Kandek
added, arguing that that was one reason why so many plug-ins go unpatched.
A second answer may come with the newest round of browsers—such as Firefox 4, IE9 and Chrome—that support HTML5, the Web standard that can handle the audio and video processing now done by many of the most popular plug-ins, including Flash, QuickTime and Windows Media Player.
“Moving more functionality into the bowsers with HTML5 would help, because then you donʼt need those plug-ins,” Kandek said.
He also applauded Google for updating Flash alongside Chrome, and for integrating a bare- bones HTML-based PDF viewer into its browser, moves rivals have not mimicked.