Before we start let's point out the following:
The entire report is a valuable read on the state of browser security but, as Brian Krebs points out, the conclusions should be considered conservative since it does not include information on vulnerable plugins (think Flash Player, Adobe Reader, Java, QuickTime, etc). Also, bear in mind that these numbers only represent Google users.
So we're really talking specifically about the browser applications and not the browsing experience as a whole.
We discovered that at most 83.3% of Firefox users, 65.3% of Safari users, 56.1% of Opera users, and 47.6% of Internet Explorer users were using the latest most secure browser version on any day between January 2007 to June 2008. For the latest version analysis of Safari, we only considered the date range Dec 2007 to June 2008, when Safari version 3 became widespread.
I suspect Internet Explorer's surprisingly bad results are due to poor adoption of the browser's latest version IE7. And this will be linked to:
- people who can't upgrade to IE7 because their system requirements cannot be met (e.g. anyone running Win2000);
- people who won't upgrade to IE7 because they found it changes their browsing experience too much (e.g. too different from the user perspective: tabs, new menus, etc. and/or technical issues: breaks current web-based applications which need to be upgraded to ensure IE7 compatibility).
I must say of late Microsoft upgrades have entailed lots of extra unexpected technical work. Just think back to XP SP2 (a real pain in the neck). These new systems require security tweaking everytime - it's no wonder companys and users are slowly changing their ways and going for backward-compatible and standard compliant systems.
And it makes me wonder. Should large corporations be allowed to make application upgrades which will affect everyone actually developing anything for use with said application? Aren't systems today being designed to be so secure at the user's expense, making them difficult to use? Is it not actually counterproductive if users just get annoyed and frustrated with over-secure systems (esp. as these systems are still vulnerable to attacks anyway)?
Perhaps we should just turn to some form of mandatory training about the risks posed by accessing the Internet, how to reduce these risks and how to recognize certain types of attacks/infections, and how to check systems for known infections.
What do you think?
No comments:
Post a Comment