In-Depth

Firefox's Auto-Update is Model for Safer Browsing, Report Concludes

As attackers increasingly target browser flaws, the Firefox update scheme serves as a model for the industry

• By Stephen Swoyer
• 07/08/2008

As Web browsers have become more popular targets for attack -- the low-hanging fruit for hackers -- researchers have focused on an oft-neglected aspect of Web browser use: behavior.

Researchers Stefan Frei, Thomas Dübendorfer, Gunter Ollmann, and Martin May argue in a new report (Understanding the Web Browser Threat: Examination of Vulnerable Online Web Browser Populations and the "Insecurity Iceberg") that it appears users of some Web browsers are more security-conscious or risk-averse than others.

According to the authors, Firefox users tend to update their Web browsers quickly after new vulnerabilities have been identified or the Mozilla Foundation issues an update. "[F]rom January 2007 to June 2008, most users updated to a new version of Firefox within three days of a new public release, resulting in up to 83 percent of users having the most current and secure Firefox version installed," the researchers write.

"It took users of the Opera Web browser an average of 11 days before reaching an update saturation at a level of up to 56 percent of the users running the most current and secure Opera version," they continue, noting: "While Firefox and Opera check for updates when the browser is used, Safari relies on an external Apple-updater that appears to poll for new updates only at scheduled regular intervals while Internet Explorer gets updated as part of the monthly distributed Windows patches."

It's a vexing problem, the researchers note, leading to what they term a "Web browser insecurity iceberg" -- the vast majority of users (most of whom run I.E.) who aren't regularly updating their systems with the latest patches or plug-ins. It's an iceberg, they write, because most of the danger is hidden.

"The Web browser Insecurity Iceberg represents the number of Internet users at risk because they don't use the latest most secure Web browsers and plug-ins to surf the Web," they explain. "This paper has quantified the visible portion of the Insecurity Iceberg [i.e., above the waterline] using passive evaluation techniques -- which amounted to more than 600 million users at risk not running the latest most secure Web browser version."

The research quartet cites the rising prevalence of malicious iframe attacks, which are typically designed to exploit JavaScript vulnerabilities. JavaScript vulnerabilities, they note, are typically the stuff of unpatched Web browsers. "[T]here have been frequent reports of hundreds of thousands of Web sites succumbing to mass-defacement -- where the defacement often consists of an embedded iframe," they point out. "These iframes typically include content from servers hosting malicious JavaScript code designed to exploit vulnerabilities accessible through the user's Web browser and subsequently to initiate a drive-by malware download."

The quartet bases its analysis on data collected by Google's Web search and application sites, which collect information about what kinds of Web browsers (as well as which revisions) visit on a daily basis. By correlating Web browser types/revisions with known security patch dates (specific to Firefox, Opera, Safari, and I.E.), investigators were able to determine not just of which kinds of Web browsers users were running, but how frequently users tended to update their Web browsers based on platform types.

The authors anticipate many potential objections, stressing (1) that default Google cookies function as unique identifiers, ensuring that each Web browser was counted only once per host per day; and (2) that they only measured on weekdays, when traffic was theoretically heaviest, and not on weekends. The researchers also assume that the latest iteration of a Web browser (i.e., Firefox 2 -- at the time of the study -- Opera 9, Safari 3, and I.E. 7) is also its most secure iteration.

"By measuring the lower bounds of insecure Web browsers used to daily surf the Internet, we provide new insights into the global vulnerable Web browser problem," they write. "To capture the extent of this security problem, we introduce the notion of the 'Insecurity Iceberg' … and estimate the number of users worldwide relying on a Web browser version different from the latest most secure version or vulnerable plug-ins, which could result in a host compromise."

One of their conclusions is that Mozilla's auto-update system could function as a model for the industry as a whole. "We believe the auto-update mechanism as implemented within Firefox to be the most efficient patching mechanism of the Web browsers studied. Firefox's mechanism regularly polls an online authority to verify whether a new version of the Web browser is available and typically prompts the user to update if a new version exists," they explain.

"With a single click -- assuming that the user has administrative rights on the host -- the update is downloaded and installed. Just as importantly, Firefox also checks for many of the currently installed Firefox plug-ins to verify that they are similarly up to date, and, if not, will prompt the user to update them. Opera's update mechanism is essentially the same procedure as a manual download and re-installation of the browser."

Microsoft's once-monthly updating regimen -- while a quantum improvement over its haphazard approach to updating of half-a-decade ago -- leaves too large a window during which users might be compromised, the report concludes.

"[W]e strongly recommend that software vendors embrace auto-update mechanisms within their products that are capable of identifying the availability of new patches and installing security updates as quickly and efficiently as possible -- ideally enabled by default and causing minimal disruption to the user," Frei's team notes. "We also recommend that these same auto-update mechanisms are capable of alerting the user of any plug-ins currently exposed through the Web browser that have newer and more secure versions available."