Users of Apple's Safari and the Opera browser are most likely to be using unpatched versions.
A report by researchers at Google Switzerland and the Swiss Federal Institute of Technology, found that the Google Chrome web browser was the most likely to be up-to-date due to its ‘silent' update every five hours.
The report's authors, Thomas Duebendorfer and Stefan Frei, claimed that after 21 days of releasing Google Chrome 18.104.22.168, a 97 per cent share of active Google Chrome 1.x users were using the latest Google Chrome 1.x version. This, the authors wrote, was ‘by far the best update effectiveness measured for any of the four investigated web browsers.'
The report was less complimentary about Safari and Opera, claiming that as Safari is updated through Apple's ‘Software Update' service integrated in OS X, the user can choose to check for updates daily, weekly, monthly or not at all. When updates are available, the user is prompted to initiate the download and get them installed.
The report said: “During an update, affected applications sometimes have to be closed, which is an annoyance to users. After installation of the update, the next time Apple Safari is started, the new version will be used.”
Meanwhile the report claimed that even though Opera checks for updates every week and notifies the user when a new update is available, the update process involves a user being forwarded to the Opera download website, where the update follows the same procedure as if the user were to install Opera for the first time.
The report said: “This update procedure requires serious user activity and typically about ten user decisions on different dialogs, such as choosing the install/update location, clicking the licence agreement, closing the active browser, etc.”
In conclusion of patching strategies, the authors said: “Based on our measurements and the evolution of the threats towards end-users we suggest that software vendors release patches for attack exposed applications, such as web browsers and plug-ins, as soon as they are available - while keeping a patch schedule for less attack exposed applications. We believe that there is room for a better trade-off to benefit overall security.”
Finally the authors concluded that ‘all in all, the poor update effectiveness of Apple Safari and Opera gives attackers plenty of time to use known exploits to attack users of outdated browsers.'