May 05, 2009, 5:08 PM — Apple and Opera lag behind Google and Mozilla when it comes to distributing Web browser updates due to how they've structured their patch programs, according to new research.
Only 53 percent of users on a 3.x version of Safari applied a new update within three weeks, wrote Thomas Duebendorfer of Google Switzerland and Stefan Frei of the Swiss Federal Institute of Technology (ETH Zurich) in a research paper.
Also, people running a 3.2 version of Safari are required to apply a Tiger or Leopard operating system update first before getting new browser updates, which slows the overall patch process. Within three weeks of the release of Safari version 3.2.1, for example, only 33 percent of users had it installed.
Opera's browser will check for updates once a week, but a user must go through the same installation procedure for updates as if they were installing Opera for the first time. It's a cumbersome process, the researchers wrote.
Three weeks after a new release, only 24 percent of active daily users of Opera version 9.x have the newest version installed. However, Opera plans to incorporate an auto-update mechanism in its next planned release, version 10.
"All in all, the poor update effectiveness of Apple Safari and Opera gives attackers plenty of time to use known exploits to attack users of outdated browsers," the researchers wrote.
Frei and Duebendorfer collected their data on browsers by analyzing Google's Web logs, which records the user-agent strings of browsers. A user-agent string is data that usually reveals the type of Web browser and version a person uses.
Microsoft's Internet Explorer browser was excluded from some parts of the study since its user-agent string does not reveal incremental version changes for security reasons.
Google's Chrome came out on top. The study found that 97 percent of Chrome users on version 1.x received an upgrade within three weeks. Chrome uses a silent update mechanism where updates are downloaded automatically without user prompts and then applied when the browser is restarted.
Google has also open-sourced its auto-update technology, code-named Omaha, which means anyone can use it. Omaha will poll Google for updates even when Chrome is not running, the researchers wrote. Chrome checks for updates every five hours.
Chrome users may not hit a 100 percent update level due to other problems, such as people not restarting the browser, firewalls blocking updates and some computers, in place such as Internet cafés, that run read-only software images in virtual machines that don't allow software updates, they wrote.
Mozilla's Firefox browser came in second best, with about 85 percent of users employing the latest version 21 days after its release. Firefox frequently checks for updates and also prompts users to install the new version, which contributes to the speedy updates, they wrote.
Updating a Web browser is important as it is one of the most frequently attacked applications. Frei and Duebendorfer wrote that overall, 45.2 percent of Web users were not using the latest version of their Web browser, according to the Google server logs they analyzed.
"Web browsers are in dire need of a very effective update mechanism or they will lose the battle for securing vulnerable Web browsers before their users fall victim to attackers," they wrote.
