Why you should keep your browser patched… and use Firefox
February 12th, 2006
Interesting article on TechWeb the other day about a study done by security researchers from the University of Washington. What they did was use unpatched version of Internet Explorer and Firefox and use them in two different setups, one emulating a user who clicks “yes” whenever he’s asked a security question, the other one always selecting “no” instead. Those two setups were then run against a reference set of 45.000 websites and the number of successful spyware infections was counted.
It’s important to note that the study does not make the claim that one of the browsers is more secure than the other; what it tried to find out instead is which browser gives a safer browsing experience to the user. As it turns out, there is quite a difference – while IE users were infected with spyware in 1.6% of the cases when they always clicked “yes” and still 0.6% even when they clicked “no”, the respective numbers were only 0.09% and 0% for Firefox – which means that no spyware was ever installed under Firefox unless the user accepted the download.
ActiveX seems to have played a major role in the involuntary spyware installations – so the lack of support for the proprietary ActiveX seems to be what gave Firefox the advantage in this study. In fact, the only succeful spyware installations in Firefox happened through Java applets – and all of those required the user to consent to something before it happened. One can only hope that Internet Explorer 7 will offer better protection against “drive-by” installations of ActiveX components.
In the meantime, there are two conclusions that can be drawn from this study. The first is that you should most definitely always keep your browser patched with all the latest security fixes. The second is that, if you want a safe browsing experience, you might be a lot better off using Firefox.
Update Feb. 16, 2006: Brian Krebs has some interesting numbers in his blog again, taking a look at the number of days it took to get patches for critical vulnerabilities to both browsers out last year. Definitely worth reading and a great piece of research by Brian.
Entry Filed under: Technology
Leave a Comment
Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Trackback this post | Subscribe to the comments via RSS Feed