Authors include Gunter Ollmann of IBM ISS.

Access to Google’s global Web server logs enabled the authors to provide the first in-depth global perspective on the state of insecurity for Web browser technologies. Understanding the nature of the threats against Web browser and their plug-in technologies is important for continued Internet usage. As more users and organizations depend upon these browser technologies to access ever more complex and distributed business applications, any threats to the underlying platform equate to a direct risk to business continuity and integrity.

By measuring the patching processes of Web browser user populations, we have been able to identify the potential global scale of Web-based malicious exploitation of browser technologies and prove how existing mechanisms such as Firefox’s auto-update can outperform more complex and less timely solutions.

Based on direct measurements of the adoption of new Web browser updates based upon available USER-AGENT major and minor browser software version numbers, and by combining that data with Secunia’s latest PSI local-host scanning results for plug-in patch adoption (even though sample sizes are radically different), we quantified the lower bounds of the Web browser population vulnerable to attacks through security weaknesses.

Unfortunately, just like a floating iceberg, we were only able to measure and accurately estimate the tip above the water.