Most people are pretty lax when it comes to keeping their Web browsers secure, according to a report unveiled at this week’s RSA security conference in San Francisco.
About 80 percent of people who’d installed Qualys’ free BrowserCheck add-on over the past eight months had not installed the latest browser or plug-in patches, said Wolfgang Kandek, chief technology officer at Redwood Shores, Calif.-based security and compliance management company Qualys.
Real-world numbers may be even worse, since Qualys’ sample size was relatively small — 200,000 Windows, Mac and Linux users in Brazil, Germany and the U.S. who were security-conscious enough to add a patch-compliance monitor to their browsers.
Almost all patches to browsers and plug-ins, outside of product upgrades, are in response to security vulnerabilities. If you don’t patch your system, which takes only a few minutes a month, you’re leaving it unguarded against well-known exploits — essentially making yourself a sitting duck for hackers and other bad guys.
The worst offender among plug-ins in Qualys’ report was Oracle’s Java, which was unpatched on a whopping 40 percent of systems tested. Kandek noted that lack of compliance was one reason malware writers like hacking the powerful cross-platform programming language.
"I bet that most people don't even know that they have Java, or how it installs," said Kandek, according to ComputerWorld. "Exploit writers have recognized that and have been adding Java exploits in their toolkits."
Next worst was Adobe’s Reader plug-in, which lets PDFs display in the browser and was unpatched in 32 percent of reporting systems. That’s actually quite an improvement, noted Softpedia’s Lucian Constantin, since Adobe recognized how vulnerable Reader was and issued a much more secure version in November.
Apple’s QuickTime was unpatched in 25 percent of systems, and Adobe’s Flash and Shockwave came in just after that, with 24 and 21 percent respectively.
Browsers overall were patched much more thoroughly than plug-ins. Only a quarter of the systems tested in January had unpatched browsers — but Kandek noted that some, such as Mozilla’s Firefox and Google’s Chrome, automatically patch themselves.
Kandek said more browser manufacturers ought to follow the example of Chrome, which auto-updates Flash as well as itself.
"All the different patching mechanisms are confusing — a bit of this and some of that," he said, according to ComputerWorld. "A single updater would be the right thing."
Salvation may come in the next generation of browsers, including Internet Explorer 9 and Firefox 4, both due later this year. They will natively handle HTML5, which won’t need plug-ins to play the video and audio content that Flash, QuickTime and Windows Media Player now handle.