[Full-disclosure] New Browser Security Paper: Why Silent Updates Boost Security
stefan.frei at techzoom.net
Tue May 5 21:54:41 BST 2009
with research colleague Thomas Duebendorfer from Google in Zurich I've
finally had a chance to look deeper into the performance of Web
browser update mechanisms. The analysis of anonymized Google Web
server logs allowed us to compare and rank the update strategies
Google Chrome, Mozilla Firefox, Apple Safari, and Opera. We found
considerable differences in the performance of the update techniques
deployed by each browser by measuring the share of the latest minor
version within the same major version during the first 21 days after
Chrome topped with 97% share after 21 days, followed by Firefox 85%,
Safari 53%, and Opera 24%.
However, during the first 5 days after a new release Firefox
outperformed all the others.
The paper discusses the findings and provides empirical data to
evaluate different update strategies.
Paper: Why Silent Updates Boost Security
In this paper we analyze the effectiveness of different Web browsers
update mechanisms; from Google Chrome's silent update mechanism to
Opera's update requiring a full re-installation. We use anonymized
logs from Google's world wide distributed Web servers. An analysis of
the logged HTTP user-agent strings that Web browsers report when
requesting any Web page is used to measure the daily browser version
shares in active use. Our measurements prove that silent updates and
little dependency on the underlying operating system are most
effective to get users of Web browsers to surf the Web with the latest
browser version. However, there is still room for improvement as we
found. Google Chrome's advantageous silent update mechanism has been
open sourced in April 2009. We recommend any software vendor to
seriously consider deploying silent updates as this benefits both the
vendor and the user, especially for widely used attack-exposed
applications like Web browsers and browser plug-ins.
- Thomas Duebendorfer, Google Switzerland GmbH
- Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland
Stefan Frei & Thomas Duebendorfer
Full-Disclosure is hosted and sponsored by Secunia.