Researchers have found that around 637 million netizens who go about their merry ways in cyberspace using outdated Internet browsers are at a greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, researchers Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), have analysed browsers used to better understand the reason behind the numerous recent attacks by criminal hackers which have been aimed at the browser, and as to why those attacks have been so successful.

The biggest find – around 40 per cent of net surfers use insecure versions of web browsers, with some of the least compliant being users of Internet Explorer, which currently dominates the internet browser market.

Data for the research was collected in the middle of June. Users were scattered amongst 78 per cent Internet Explorer (IE) users, 16 per cent Firefox (FF) users, three per cent Safari users, and 0.8 per cent Opera users. The use of insecure browser add-ons, such as dated versions of Adobe Reader was excluded from the study as data from Google provided only browser information.

Of these, users of the latest versions of their respective browsers were 52 per cent for Internet Explorer, 92 per cent for Firefox, 70 per cent for Apple's Safari, and 90 per cent for Opera.

The report said that IE 7 took only 19 months to gain 52 per cent of the entire Internet Explorer audience. However, 48 per cent of IE users in the study used an older version of IE 7, or still had IE 6 installed.

The study becomes more interesting, when seen in comparison with the food industry, which has been done for mitigation under the argument that people typically understand the need to buy the safest foods, which comes with printed expiry dates, so why not browsers? The authors say that a browser should also display in red in the upper right hand corner an expiration warning, which would grab the user's attention. However, they also say that though the food industry has penalties for selling expired wares, there is no such liability for software vendors, who are not legally obliged to provide software updates.

The researchers defined the most secure Web browser as "the latest official public release of a vendor's Web browser at a given date." This definition excluded beta versions, and assumed that the risk of encountering malware that could compromise one's browser is the same regardless of browser market share.

Browser upgrades have a direct link to vendors providing updates, as most upgrades come bundled with other software updates, such as IE 7 in the updates for Windows XP or as an auto-update with each monthly set of Microsoft security patches. However, a number of users still opt for running the earlier version, IE 6.

The study brought out the fact that Firefox 2 could well be considered as the most secure web browser, since 83.3 per cent of Firefox users globally use the most current version. 637 million of 1.4 billion Internet users worldwide represents around 45.2 per cent of netizens, who would be at risk from dated browers.

The paper argues that ''given the state of the software industry and the growing threat of exploitable vulnerabilities within all applications, and not just web browsers, we believe that the establishment of a 'best before' date for all new software releases could prove an invaluable means to educating the user to patch or 'refresh' their software applications.''

It goes on to say that "the same 'best before' date information could also be leveraged by Internet businesses to help evaluate or mitigate the risk of customers who are using out of date software and are consequently at a higher risk of having been compromised."

Browser security is a live issue currently as most malware targets web browser vulnerabilities, which are usually remotely exploitable. These have increasing since the year 2000, and accounted for 89.4 per cent of vulnerabilities reported in 2007, says the study, claiming that a "growing percentage of these remotely exploitable vulnerabilities are associated with Web browsers."

The study awards the second, third, and fourth places to Apple's Safari 3 (65.3 per cent users running the most current version), Opera 9 (56.1 per cent), and Microsoft Internet Explorer 7 (47.6 per cent).

In the real world, Internet Explorer, which commands around 78.3 per cent of the global market share (average between February 200 and June 2008) will probably also encounter the most malware that other browsers, as malware writers tend to broad base their attacks over the widest possible audience in their exploitation attempts.
Additionally, common technology such as Adobe's Flash and other 'plug-ins' also have their share of vulnerabilities. The study cites research by computer security firm Secunia as having found that around 21.7 per cent of all QuickTime 7 installations are out of date.

So, having the most current version of the favourite web browser may be inly part of the story, and the need to update other outdated software still persists.