Easy update mechanisms have a far greater effect on browser patching than perceived threats or other factors, according to a new study by Google and Swiss academics. The in-depth comparative study into how browser security packages are updated discovered that Firefox's update mechanism is the most successful at getting users …
And yet.. 100% of IE users will always be using an insecure browser.
Insecure firefox users
Hardly surprising since firefox 3 doesn't even work on Panther. I know someone using firefox 1.5 on windows 95 (and before anyone calls it a legacy system, my friend calls it the system he earns his living on.) I know other people using windows 98.
I have started suggesting opera, which even works on Jaguar.
I think the conclusion is likely quite correct.
The reason I'm still at Firefox 3.0.4 is because Ubuntu hasn't pushed an update through Hardy Heron (8.0.4). I'm concerned that updating directly though Firefox will put me out of sync with Ubuntu updates.
FF 18.104.22.168 here.
Because I prefer to use a stable browser that is a known quantity. There are a few well-known bugs in this version, all of which I'm completely safe from with NoScript. If I updated it, those would be fixed, but I would be subject to an unknown quantity of new bugs of which I would have no knowledge how to protect myself against; that's a hiding to nothing in my book. So the only way I'm at more risk is if there is a serious yet as-yet-undisclosed 0-day that works without any scripting in this old version - and of course, there could just as well be such 0-days for the newer versions, which get a lot more intensive attention from people looking for exploits than some antique that only a small percentage of surfers use; it's not an effective use of the attackers' time to be still trying to break this old version. Steam-powered tech FTW!
we are /all/ using insecure browsers - it's just that the details of the remaining vulnerabilities aren't public yet...
Beside the point
Their theory is that if only you are running the latest version, you are somehow magically secure. Hardly true, patches for each successive version are quite often from known exploits to that (then) latest version.
Personally I don't mind the firefox updates so much, but some of the add-on updates like noscript come out so often it becomes annoying after a point. Seems like every other day a page doesn't load because noscript wants to stop the show and do it's thing, then firefox pops up the window telling me about it, then noscrip takes firefox to it's webpage, then all this nonsense is closed so the original goal - loading a frikkin' webpage, can finally happen.
IMO, they need to consolidate these updates and release them 1/3rd as often. Conflicker for example, isn't spreading because someone doesn't have version 3.0.x of Firefox.
Since the majority of browser flaws seem to be "social engineering" scams -- I think the user will always be as much of a problem as the browser.
Blame plugins breaking
I've just upgraded to FF3 from FF2, and only then because I reinstalled Windows. The blocker for me was plugin compatibility - I've had to say goodbye to some functionality while nominally moving to a more advanced version.
Still, I'd rather be on FF2 than IE6, which I'm using to post this comment from work due to (what else?) activex tools. Hell, we only upgraded from 5.5 last year...
A lot of workplaces, especially cost-conscious companies, don't upgrade their IT systems that often - I've worked in quite a few places that were still using old Pentiums running NT4 and Windows 2000 even a couple of years ago, because their systems work, the staff know how to use them, and there's no need to upgrade.
That might explain the weekend/weekday discrepancy, since during the week most people would surf from the older systems in their workplaces, and on the weekends surf with the shiny new computers they popped on the credit cards last year along with the new stereo and plasma TV.