I gather than flaws browsers account for a lot of attacks, arising from malware and spyware that gets ‘snuck in’ by various methods such as XSS.
Lets be realistic, though; the browser isn’t the only avenue by which a user’s workstation can be infected – I’ll leave servers out of this for the moment. Updating other key components of the operating system are important as well. But patching is more difficult in some systems than others, and some vendors & developers are more aggressive about updating their baseline than others. Which could also reflect the complexity and modularity of their products. What was that about complexity being the enemy of security?
Unsurprisingly the study concluded that update features within different
browsers played a key role in determining how quickly users update their
software. Firefox users “typically updated” within three days of the
availability of a new security update. Opera users averaged around 11
days before patching their browser while some IE users are still stuck
on IE6 a year and a half after the release of IE7.
So that makes me one of the ‘good guys’, a Firefox user. Actually I update my plug-ins ‘same day’ – which might actually be a risk if they are not well tested. But that point is always a risk, and is the reason why some companies such as Intel, are staying with XP rather than upgrading to Vista. (Ever?)
The study found that Firefox users were the most diligent in applying
security updates, with 83.3 per cent using the latest version. Less than
half (47.6 per cent) of IE users used a fully patched version.
Now lets be fair, not everyone has control over what they use.
“I think it may be a little unfair for many IE users to be grouped in
the ‘less diligent’ bucket because they’re stuck to using IE5 or IE6 for
compatibility issues with their corporate applications but, quite
frankly, in this climate of commercial mass-defacements, ‘unfair’ isn’t
going to keep them safe,” Ollmann writes.
As it says in the article I’ve referenced …
A white paper on the study, Understanding the Web browser threat, can be