Web browser study uses Google data to pinpoint security problems
Less than 60 percent of Web users are outfitted with up-to-date, fully patched browsers, according to a new, IBM co-authored research study, which relies on examinations of users' Google log records to help reach that conclusion.
Jointly produced by the Swiss Federal Institute of Technology, Google, and IBM Internet Security Services, the study places most of the blame for browser security problems on Microsoft's Internet Explorer.
A total of 52.4% of all IE users had failed to upgrade to IE7, the latest version of Microsoft's browser, according to the survey results. Moreover, merely 47.6% of IE users had all of the software upgrades and patches installed on their browsers needed for "safe" Internet surfing.
In contrast, 83.3% of Firefox users were using totally updated browsers, followed by 65.3% for Safari and 56.1% for the Opera browser.
As potential remedies for more secure browsing, the researchers suggested that all browser makers should install an auto-update feature -- already present in Firefox, for example -- and that browsers should be given expiration dates.
"The analysis presented in this paper is based on the large global user base of Google's Web search and application sites," the researchers wrote in their paper.
Google's search and Web application server log data was used to figure out which specific versions of the Firefox, Safari, and Opera browsers people were using, which include the latest point releases. IE, however, only communicates information about which major version is in place -- such as IE6 or IE7 -- to Web servers.
Consequently, to detect smaller IE browser updates, the researchers reportedly depended on data from users who had installed Secunia's Personal Software Inspector software on their PCs.
No "personal data" was collected about Google users, according to the authors. Interestingly, though, in recent months, Google has come under fire from privacy advocates who claim the company could be violating a California privacy law by failing to post a link to its privacy policy directly from the Google home page.
Accessible through a number of other methods -- such as by entering "Google privacy" on the Google search line -- this policy does state, among many other things, that when "you use Google services, our servers automatically record information that your browser sends whenever you visit a website."
These server logs "may include information such as your web request, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser," according to Google's policy statement.
Google's policies around log data and personal data are different, though. According to Google, the personal information collected includes that person's e-mail address and Google search activity, for instance. Yet this personal information is collected only from users who set up Google Accounts, and users can supposedly cancel those accounts at any time.
Why did IBM pitch in on the browser research, too? Logically, IBM's interest would seem to revolve around the study's acknowledged focus on the browser as a potential vulnerability point in host-based computing.
"In recent years the Web browser has increasingly become targeted as an infection vector for vulnerable hosts," the researchers said, in a preface to the report. "Classic service-centric vulnerability exploitation required attackers to scan for and remotely connect to vulnerable hosts (typically servers) in order to exploit them. Unlike these, Web browser vulnerabilities are commonly exploited when the user of the vulnerable host visits a malicious Web site."