Re: New Paper: More than 600 million users surf at high risk

["Rob Thompson" <my.security.lists () gmail com>]

On Tue, Jul 1, 2008 at 12:31 PM, Larry Seltzer <larry () larryseltzer com> wrote:
> From your paper:
>
> > > It is noteworthy that it has taken 19 months since the initial general
> availability of IE7 (public release October 2006) to reach 52.5%
> proliferation amongst users that navigate the Internet with Microsoft's
> Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2.
>
> Could this be due to the fact that Mozilla stops supporting, and issuing
> updates for old versions just a few months after the release of a new
> one?

Or could it be due to the fact that IE7 is not supported by a bunch of
vendors and businesses are not comfortable upgrading?

Kind of like Vista???

> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer () ziffdavisenterprise com
>
>
> -----Original Message-----
> From: Larry Seltzer
> Sent: Tuesday, July 01, 2008 3:26 PM
> To: 'Stefan Frei'; bugtraq () securityfocus com
> Subject: RE: New Paper: More than 600 million users surf at high risk
>
> A reply from Robert Hensing at Microsoft
> (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w
> eb-browser-study-full-of-fail.aspx) says that your study did not include
> minor version information for Internet Explorer, probably because such
> information is not reported in the user-agent string. But fully-patched
> copies of IE5 and IE6 are not insecure in the same way as an unsupported
> version; Microsoft is still supporting them.
>
> So is it true that your study calls anyone running IE7 secure, and
> anyone running IE5 or IE6 insecure, regardless of their patch levels?
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blogs.pcmag.com/securitywatch/
> Contributing Editor, PC Magazine
> larry.seltzer () ziffdavisenterprise com
>
>
> -----Original Message-----
> From: stefan.frei () gmail com [mailto:stefan.frei () gmail com] On Behalf Of
> Stefan Frei
> Sent: Tuesday, July 01, 2008 11:40 AM
> To: bugtraq () securityfocus com
> Subject: New Paper: More than 600 million users surf at high risk
>
> Hi List,
>
> For the last 18 month we analyzed the daily USER-AGENT data collected by
> Google's Web search and application servers around the world to study
> how users
> patch and update their Web browsers.
>
> We came out that approximately 637 million (or 45.2 percent) users
> currently
> surf the Web on a daily basis with an out-of-date browser - i.e. not
> running a
> current, fully patched Web browser version.
>
> And this is only the tip of what we call the "Insecurity Iceberg", not
> counting
> all the vulnerable browser plug-ins.
>
> One of the new concepts we came up for combating the inadequacies of
> Web browser
> patching was that of applying the food industries "Best Before" date to
> the Web
> browser and its plug-ins.
>
> Paper:
> Understanding the Web browser threat:
> Examination of vulnerable online Web browser populations and the
> "insecurity iceberg"
>
> Authors
> - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland
> - Thomas Duebendorfer, Google Switzerland GmbH
> - Gunter Ollmann, IBM Internet Security Systems, USA
> - Martin May, Communication Systems Group, ETH Zurich, Switzerland
>
> Paper Download:
> http://www.techzoom.net/insecurity-iceberg
>
>
>
> Regards
> Stefan Frei



-- 
Rob