Posts Tagged ‘time to update guys!’

It’s been a while since I’ve posted — but I return to you now with some interesting information, and some questions. Over the past 45 days I’ve been running something of a survey. Really I’ve been data mining your browser headers, don’t worry I haven’t sold your info to any third parties 😉

However what I did find was surprising. You don’t care about browser security. At all.

Overall about 2500 people participated in this survey, though they did not know it. Of those 2,500 individuals approximately one quarter of them are using a vulnerable browser without the aid of NoScript. That’s over 400 vulnerable browsers that have visited this site in the last month and a half.

Anyone have an explanation for this?

In my mind there are two possible answers here. The first being you just don’t know any better, the second would be you just don’t care. Since you’re likely interested in securing your Linux installation if you’re reading this site, there is a good chance that you DO know better.

A look at the results

The most popular vulnerable browser was Chrome/Chromium 15.0.874.102 which suffers from a use after free memory corruption vulnerability among several others. Though the memory corruption is the most significant multiple vulnerabilities fall into “serious” category. Oddly every single person using this browser version was using Ubuntu Linux 11.10 either in x86 or amd64 flavors. Canonical? Fix your repos? Or maybe people just aren’t updating.

While we’re discussing Operating System versions. I found it interesting, but not surprising that several of the operating systems running these browsers were end of life. Meaning they haven’t been receiving security updates for quite some time. Several individuals were using Ubuntu sub 8.04, and more were using Ubuntu 8.04-8.10. These operating systems are end of life, and are not receiving security updates. If you’re running these I strenuously urge you to ugrade to at least the current LTS 10.04. There really isn’t much else to say about operating systems, since browser headers are often times less than conclusive in terms of operating platform.

So what were some of the most vulnerable browsers? Well, there were quite a few but the most interesting I saw were the following :

  • Firefox 3.0.x
  • Firefox 3.5.3
  • Firefox 3.6.16
  • Chrome 6.0x

That is just a sample of the MOST vulnerable browsers, you can see a full diagram of vulnerable browsers in the graph at the beginning of this section.

So what’s up? Why are you running a 4+ year old browser with out NoScript? Now, I realize that some of you were probably spoofing browser headers, like whoever had Firefox 1.0, that’s probably not legit. However, I would wager the vast majority of these results are in fact accurate. It’s also important to note that I filtered out webcrawlers, each of these is in fact an actual browser (unless of course the crawler is spoofing headers).

Conclusion

Many linux users apparently just don’t care. If you’re reading this in a state of shock, but can’t remember the last time you updated anything, maybe it’s time to do a …

sudo apt-get update && sudo apt-get upgrade

or

sudo yum check-update && sudo yum update

After you’re done with that, maybe you should take a gander at NoScript

It’s important to understand a couple things about this data. This data was filtered by excluding any non Linux systems, this includes Android, iPhone, Windows and Apple machines, as well as any browser running NoScript. These are only Linux users. Not all are running Ubuntu, other popular distributions included Fedora, Mint, and Debian.

So, you tell me, why do you think many users are hesitant to upgrade to a more supported and secure browser?

Advertisements