Corporate…

                                                          Corporate Communications

                                                          ETH Zurich
                                                          Media Relations
                                                          Phone +41 44 632 42 44
                                                          Fax +41 44 632 35 25
                                                          media_relations@cc.ethz.ch
                                                          www.cc.ethz.ch




EMBARGOED UNTIL TUESDAY, JULY 1, 2008 AT 11H00 CET



Web security

More than 600 million users surf at high risk
Zurich, July 1, 2008. Security researchers from ETH Zurich (The Swiss Fe-
deral Institute of Technology) and Google have shown in a first-of-kind
study that more than 600 million Internet users have vulnerable Web brow-
sers and are therefore easy targets of `drive-by download' attacks.


The high download rate of the latest 3.0 version of Mozilla Firefox is on eve-
ryone's lips. According to ETH Zurich researchers, this is good news. The re-
searchers used data archived by Google's global search and Web application
servers between January 2007 and June 2008 to examine the proliferation and
update dynamics of Web browsers around the world. Through this first-of-kind
detailed study, the number of Web browser installations globally that are inse-
cure due to outdated Web browser versions were able to be identified. These
installations are vulnerable to remote exploitation via popular drive-by download
attacks.



Slow reaction to latest browser version
Published today, the researchers' paper entitled "Understanding the Web
Browser Threat" shows that as of June 2008, only 59.1% percent of Internet
users worldwide use the latest major version of their preferred Web browser.
Firefox users are the most attentive: 92.2% of them surfed with Firefox 2, the
latest version before the recently released 3.0. Only 52.5% of Microsoft Internet
Explorer users, however, employ the latest, most secure Internet Explorer 7 to
surf the Net. The study revealed that 637 million Internet users worldwide who
use Web browsers are either not running the latest version of their preferred
browser or have not installed the latest patches. These users are vulnerable to
exploitation due to their web browser's "built-in" vulnerabilities.



,,Insecurity iceberg"
The over 600 million users of outdated web browsers are only the tip of the ice-
berg, says Stefan Frei of the Communications Systems Group, part of ETH Zu-
rich's Computer Engineering and Networks Laboratory (TIK). The proliferation of
insecure and unpatched "plug-in" technologies increase this number further.




                                                                                       page 1/3
Neglected security patches
Over the past 18 months, the study also shows, a maximum of 83.3% of Firefox
users were using the latest major version of the Web browser with all current
patches installed. Only 56.1% and 47.6% of Opera and Internet Explorer hosts,
respectively, were similarly utilizing fully-patched Web browsers. Apple users
are no better: since the public release of Safari 3, only 65.3% of users operate
the latest Safari version.


« Best before » dates for browsers
The study's most important finding is that technical measures now in place do
not sufficiently guarantee browser security, and that users' awareness must be
further developed. The problem is, the ETH Zurich researchers say, that most
users are unaware that they are not using their browser's latest version. It must
be made clear to Web browser users that outdated software is associated with
significantly higher risk. The researchers therefore suggest that, as a critical
component of software, a "best before" date be instituted, as is done in the food
industry. Software updates must also be made easier to find. The resulting
transparency would go far in contributing to end user awareness of software
weaknesses, and allow users to better evaluate risks.




Originalbeitrag

Understanding the Web browser threat: Examination of vulnerable online Web
browser populations and the "insecurity iceberg"
S. Frei1, T. Duebendorfer2, G. Ollmann3, M. May1
1 Communication Systems Group, ETH Zurich, Switzerland
2 Google Switzerland GmbH
3 IBM Internet Security Systems, USA

Download the study as of July 1, 2008 at 11.00 a.m. CET at:
http://www.techzoom.net/insecurity-iceberg




                                                                                    page 2/3
Further Information
ETH Zurich
Stefan Frei
Computer Engineering and Networks
Laboratory
Telephone +41 (0)44 632 70 15
Insecurity-iceberg@ee.ethz.ch


ETH Zurich
Renata Cosby
Media Relations
Telephone +41 (0)44 632 89 61
renata.cosby@cc.ethz.ch


ETH Zurich (Swiss Federal Institute of Technology Zurich) has a student body of 14,000 students from
80 nations. Nearly 360 professors teach mainly in engineering sciences and architecture, system-
oriented sciences, mathematics and natural sciences, as well as carry out research that is highly valued
worldwide. On a yearly basis, ETH Zurich applies for 80 -100 patents and directly supports the founding
of up to 20 spin-off companies. Distinguished by the successes of 21 Nobel laureates, and an active
member of the IPCC (Intergovernmental Panel for Climate Control) that was awarded the 2007 Nobel
Peace Prize, ETH Zurich is committed to providing its students with unparalleled education and out-
standing leadership skills.




                                                                                                           page 3/3