Last year, along with Stefan Frei, Thomas Duebendorfer and Martin May, we published the well-received paper "Understanding the Web Browser Threat" - which looked at how the various update mechanisms of the most popular Web browsers compared, and derived the minimum estimates of how many Web browsers constantly failed to apply the latest security patches - based upon analysis of Google USER-AGENT data.
Well, as a follow up to that research, a new paper has just been published in the January edition of ACM SIGCOMM Computer Communication Review. The paper, titled "Firefox (In)Security Update Dynamics Exposed", takes a much deeper look at how Firefox is updated (for real) by Internet users.
There are many very interesting findings to be found in the paper, but I wanted to share some of the things I found most interesting from the research.
When you take a closer look at the frequency at which a particular Web browser version is used during the week, you can see a noticeable pattern that revolves around weekend usage patterns.
Here we see the usage pattern of Internet Explorer versions 6 and 7 over a year. Clearly, IE7 grows in popularity over IE6 and, by early 2008 becomes the most popular IE version in regular use.
But, looking closely at the fluctuations you'll notice something very interesting - IE7 grows in popularity over the weekends.
What this most likely means is that the newer version of IE is probably in greater use by home users. Meanwhile corporates, with greater restrictions on patch/update rollouts have stuck with IE6 for longer periods. Therefore you see IE6 getting greater use during the working week, and IE7 over the weekends.
Oddly enough, the same pattern can be seen with the latest versions of Firefox.
So, once again, we see the most recent version of a Web browser getting more use over the weekend.
The new paper also explores the effect on Safari and Opera Web browsers too.
Another interesting aspect to the research is the dynamics behind the pace at which updates to the respective Web browsers are applied. By examining the minor version information contained within the USER-AGENT data, the authors were able to observe how quickly(?) users applied public patches.
For example, the graphs above show this pace of patch application and the percentage of Firefox/Opera browser users using the most current (and secure) versions.
Rest of the Paper
There is of course a lot more information contained within the paper and I'd whole heartedly recommend that any security professionals out there take some time out of the day to read it.
I think it raises the interesting angle on the dynamics of weekday vs weekend drive-by-download attacks. Going purely off the numbers, I'd be inclined to say that users are "safer" conducting their Internet browsing when they're away from work. So, if you have need of checking out your online bank balances throughout the day - wait until the weekend?
Unfortunately the BIG unknown are the plug-in's - which I suspect are a bigger problem for home users... which probably more than negates the previous paragraph.