| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 1 Jul 2008 13:02:38 -0700 From: "Rob Thompson" <my.security.lists@...il.com> To: "Larry Seltzer" <larry@...ryseltzer.com> Cc: "Stefan Frei" <stefan.frei@...hzoom.net>, bugtraq@...urityfocus.com Subject: Re: New Paper: More than 600 million users surf at high risk On Tue, Jul 1, 2008 at 12:31 PM, Larry Seltzer <larry@...ryseltzer.com> wrote: > From your paper: > >>>It is noteworthy that it has taken 19 months since the initial general > availability of IE7 (public release October 2006) to reach 52.5% > proliferation amongst users that navigate the Internet with Microsoft's > Web browser. Meanwhile, 92.2% of Firefox users have migrated to FF2. > > Could this be due to the fact that Mozilla stops supporting, and issuing > updates for old versions just a few months after the release of a new > one? Or could it be due to the fact that IE7 is not supported by a bunch of vendors and businesses are not comfortable upgrading? Kind of like Vista??? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > larry.seltzer@...fdavisenterprise.com > > > -----Original Message----- > From: Larry Seltzer > Sent: Tuesday, July 01, 2008 3:26 PM > To: 'Stefan Frei'; bugtraq@...urityfocus.com > Subject: RE: New Paper: More than 600 million users surf at high risk > > A reply from Robert Hensing at Microsoft > (http://blogs.technet.com/robert_hensing/archive/2008/07/01/vulnerable-w > eb-browser-study-full-of-fail.aspx) says that your study did not include > minor version information for Internet Explorer, probably because such > information is not reported in the user-agent string. But fully-patched > copies of IE5 and IE6 are not insecure in the same way as an unsupported > version; Microsoft is still supporting them. > > So is it true that your study calls anyone running IE7 secure, and > anyone running IE5 or IE6 insecure, regardless of their patch levels? > > Larry Seltzer > eWEEK.com Security Center Editor > http://security.eweek.com/ > http://blogs.pcmag.com/securitywatch/ > Contributing Editor, PC Magazine > larry.seltzer@...fdavisenterprise.com > > > -----Original Message----- > From: stefan.frei@...il.com [mailto:stefan.frei@...il.com] On Behalf Of > Stefan Frei > Sent: Tuesday, July 01, 2008 11:40 AM > To: bugtraq@...urityfocus.com > Subject: New Paper: More than 600 million users surf at high risk > > Hi List, > > For the last 18 month we analyzed the daily USER-AGENT data collected by > Google's Web search and application servers around the world to study > how users > patch and update their Web browsers. > > We came out that approximately 637 million (or 45.2 percent) users > currently > surf the Web on a daily basis with an out-of-date browser - i.e. not > running a > current, fully patched Web browser version. > > And this is only the tip of what we call the "Insecurity Iceberg", not > counting > all the vulnerable browser plug-ins. > > One of the new concepts we came up for combating the inadequacies of > Web browser > patching was that of applying the food industries "Best Before" date to > the Web > browser and its plug-ins. > > Paper: > Understanding the Web browser threat: > Examination of vulnerable online Web browser populations and the > "insecurity iceberg" > > Authors > - Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland > - Thomas Duebendorfer, Google Switzerland GmbH > - Gunter Ollmann, IBM Internet Security Systems, USA > - Martin May, Communication Systems Group, ETH Zurich, Switzerland > > Paper Download: > http://www.techzoom.net/insecurity-iceberg > > > > Regards > Stefan Frei > > > -- Rob
Powered by blists - more mailing lists