Users of Safari and Opera are much more likely to run insecure versions of those browsers because it's harder to keep up with updates, a new study has concluded. The report, prepared by researchers at Google Switzerland and the Swiss Federal Institute of Technology, analyzed data pulled from anonymized Google logs. It showed …
i am not security expert, but isn't it actually pretty bad when web browser shows publicly exact version? If I would be a hacker who found an issue in Chrom 2.2.1 then I would create a script which attacks only exactly that version and leave all other versions out just to keep low profile...
One reason I don't use Firefox...
...is that every time I start it, on my machine or a university machine, it insists on installing updates and slowing down whatever I was doing! I do keep up with versions, but at times when it's convenient to me.
Safari is a bit of a special case, as WebKit has deep system roots so many updates need a reboot. It's not good that this (apparently) impacts adoption rates, but it is understandable.
Cue the flamewar!
I am a Firefox user myself and am happy with the seamless / painless update procedure. This pretty much ensures that you are using the latest version of the browser.
firefox autoupdate owns
Why can't more software use the firefox autoupdate mechanism? It is retarded to have to reinstall an entire program and click next 10 times for a minor patch only changing a handful of files. The two programs that really need this are Sun Java Updates (20 meg reinstalls get annoying every few weeks, I know each version is standalone but should allow option where we only have the latest autopatched instead of 14 insecure java versions dangling) and OpenOffice (140 meg download to to update 3 files is beyond retarded.
Well done. You successfully got the gist of the article. Then again, the point has been made repeatedly every time an update is announced here, so I don't know how long it actually took you. Would be nice if Opera updated in the same way, though - I didn't realise it ony checked weekly. Opera is still my personal preference though, on a feel basis, so I'm not planning to change solely on the frequency of update checking.
treats its brouser just the same way as its computors. Nag and nag and nag about how good it is untill they get you in, then they don't want to know?
Why would you use anything other than Internet Explorer, it automatically updates with Windows Update, it must be safer than all these hippy browsers?
Limited research premise?
Surely some important factors have to be:
+ serious nature of an update (is it trivial or is it a severe requirement)
+ any consequence of the update/patch (would anyone like to lose some OS or application functionality due to a patch especially midway through an important project? I've heard that some users will switch off all updates for fears of any consequences on important work in progress)
+ how is a browser keyed in to an OS (I'd guess that the 'fox, Chrome and Opera might not be too seriously embedded into an OS but might impact upon some applications)
If anything, to me that is, the findings indicate that there are different options about how upgrades, patches and fixes are effected and the user (or administrator) really needs to be instrumental in those choices. It seems both wise and unwise for something to update without direct instruct from user/administrator partly because of the (always unpredictable?) effect on important work in progress.
Seems Opera have realised its about time they did autoupdates, its listed as a feature for Opera 10: http://www.opera.com/browser/next/ ...but whether it will still only check once a week remains to be seen...
Google says Chrome wins
Google comes out top in a Google study! Shock, horror!
Seriously though, they would perform best by that measure due to the most arrogant app in the world, ever - GoogleUpdater - it's so irritating that it led me uninstall Chrome. It was checking for updates far too often, even though I wasn't even using using their browser (has it got any better yet?)
I uninstalled GoogleUpdate again yesterday. Just checked and there it is running again.
Anhyway, Secunia tells me when I need to update Opera.
This is one of the reasons why I'm looking forward to Opera 10, since it seems that it will include a proper update mechanism, hopefully in line with what Firefox and Chrome are doing. I'll wait until it comes out of Alpha before trying, though. Hurry up please Opera!
If only all of them prompting me with update availability messages also allowed me to update as restricted user, even though the program was installed "for all users" by Admin. OH WAIT...
Can this conflict even have a solution other than all programs be installed for each user by her own, which sounds really clumsy ? (Can't "they" just write bug free software!? ;)
If it's that bad on updates then your university needs to update its 386 machines to something a bit faster. It doesn't happen that often, and I find it very quick. The fact that it restores your tabs if you want means that a reboot isn't that painful.
Firefox vs Chrome
The difference is that the Firefox update process fails unless you are browsing -- insanely -- as an admin.
Someone has to log on as an admin, download the update again, apply it and clean up the failed applications in the non-admin user profiles.
It's pants. It's why we don't run FF here.
Does anyone want to take responsibility
for running a safe machine? My anti virus software reports vulnerabilities and points me to new versions of software like, er, Opera, and it takes a coupla minutes to download the latest version. I run that check every day. The new version of Opera inherits all your settings and bookmarks so it's not exactly like hard work
Opera 10 will have automatic updates
This article reminded me to check which Opera version I was running here at work and of course I was one version behind, too many computers to keep track of :)
According to the Opera site, Opera 10 will fix the updating problem, I myself have been waiting for this simply because I'm too lazy to check for an update and almost always rely on the automatic checker.
The minority advantage
Now I know security by obscurity is no security at all, but in Opera's favour it is such a minority product that actually most people won't bother attacking it - why go for something with a 0.1% share when you could go for one of the big boys with a 50% share or just get low hanging fruit by hitting IE6?
I don't like the way Chrome calls home so often and rolls out updates without you knowing, hence opting to use SRWare Iron. Firefox's update feature is probably the best, frequent, and somewhat seemless.
I love Opera but the reinstallation is somewhat annoying, an update feature similar to Firefox's would be a welcome addition to the browser. The only change I'd make would be that it prompts the user BEFORE the update is downloaded so they can opt out if required.
Opera on LINUX
I too prefer Opera, but why have they been so slow to make use of the LINUX package managers?
Hell, even Adobe Flash comes down on Ubuntu's if you enable third party software!
So this isn't about "time to patch" of browser vendors but about frequency of checking for browser updates and whether updates are applied "silently" or the user given a chance to back out?
The study apparently concludes that an operating-system vendor that distributes a browser should have a separate update mechanism running in the browser? That would seem to be the gist of the criticism of Apple and the implied criticism of Microsoft. But why should the browser require an entirely separate mechanism running on a different schedule?
Does the study have a downer on Linux distributions that take care of *all* updating -- even including 3rd-party software -- through a package manager? That's always seemed to me to be an eminently sensible arrangement whatever the Swiss think.
As for Google's updater, it *isn't* a browser updater. It updates *all* Google software, much as Apple's Software Update updates all Apple software and Microsoft's Windows Update updates all Microsoft's (System) software.
Is the study overexcited about the fact that Google Updater runs on its own schedule that can't be modified, checks very frequently, and installs updates silently? That does mean that users can hardly avoid taking the patches. That's good for home users perhaps, but I can't see IT departments falling over themselves with glee at that. Business needs to test patches and roll them out to users itself when it's satisfied they don't break anything else.
@ all Opera 10 fanbois
It's always going to be in the next version, haven't you realised!
I'm sure that No-Script will kindly update my core FF in the background without worrying my small brain about such details...
Do they bother asking?
Opera 10's alpha does have auto-update in it. But I think the real reason for the variance in behaviour is probably related to the technical competence of the users. I have several friends who will *not* install any program updates of any kind and always request that I do this and I suspect that this is common for many people. Too many people have had bad experiences with sloppy updates in the past. Firefox users tend to be more "technically competent" or at least adventurous as I assume users of Google's runtime are.
has autoupdates. The interval it looks for updates can be adjusted, the default is 1 hour. Visit http://www.opera.com/next and see for yourself.
Oh, and Russel, it always IS in the next version, and in most cases far ahead of the competition.
El Reg Scissors...
What exactly was wrong with "Research, partly by Google, using Googles own Googlebase reveals that a browser by Google and one partially funded by Google comes out on top. Whodathunkit?"
For what its worth I use FF (still v2 as plugins I regard as essential haven't been re-written for v3) and I'm happy with it and its update policy, even though updates for v2 are now extremely few and far between.
So it's not just me...
...who's had to give up on Firefox after every single update to v3 tries to auto-install itself, fails (apparently because the user isn't an administrator) and leaves a mangled mess that has to be removed and reinstalled from scratch. Reluctantly, I now find myself an Opera fanboy.
The Author forgot to mention special Apple Feature in their auto-update.... I do not have Apple Safari installed, yet every time I update iTunes, I'm being asked to install Safari.
Re: So it's not just me...
"...who's had to give up on Firefox after every single update to v3 tries to auto-install itself, fails (apparently because the user isn't an administrator) and leaves a mangled mess that has to be removed and reinstalled from scratch."
Apparently not. It seems there are two of you who haven't figured out that there's a box to uncheck if you don't want to attempt these pointless updates. It *is* a totally moronic piece of software design, but it *isn't* a reason to give up. (Note to any programmers out there, it is reasonable to check for updates as a non-admin. It is not reasonable to attempt the actual update.)
"Reluctantly, I now find myself an Opera fanboy."
Less reluctantly, so am I, but that's because I preferred Opera for mail and news, and couldn't then see any point in not using it for browsing as well.
I like Opera but I am one of the, er - lazy - users. What I would prefer is frequent automatic updates from a branch that only includes security and bug fixes, while upgrades to new releases are manual.
As for completely reinstalling Opera, I don't mind that. It's pretty small you know.
/y inv to Flame raid pls
Just thought I'll add something to the Firefox and auto-updates debate. My users, who are not admins or priviledged users, can and do apply Firefox updates. Admittedly, I did have to add the updater to the whitelist but it works.
Unfortunately, most of them don't know what Firefox is and insist on using IE6 which, for reasons too long and boring to go into, we are unable to upgrade.
Can lead a horse to water... etc
"Both Chrome and Firefox offer autoupdates that go largely unnoticed by users."
Firefox is installing your updates - this may take several years....
It's really not that hard to upgrade to new versions of Opera, and current versions already check for updates on a regular basis. You can even adjust how often. For some daft reason, though, you have to dig around in the config to do that. Oh yeah, and my install insists on continuously resetting the interval to several million days. :o(
Ho-hum - I guess none of them are perfect.
The problem is the end users
So, Opera notifies me of an update (it actually DOES this folks) and I don't implement it. This is Opera's problem? Sure, I agree "automatic" would be better.
And while we're at it, how many of the actual o/s where these browsers reside have been patched? I thought so.
- Does Apple's iOS 7 make you physically SICK? Try swallowing version 7.1
- Pics Indestructible Death Stars blow up planets with glowing KILL RAY
- Hands on Satisfy my scroll: El Reg gets claws on Windows 8.1 spring update
- Video Snowden: You can't trust SPOOKS with your DATA
- 166 days later: Space Station astronauts return to Earth