New Browser Security Paper: Why Silent Updates Boost Security
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: New Browser Security Paper: Why Silent Updates Boost Security
- From: Stefan Frei <stefan.frei@xxxxxxxxxxxx>
- Date: Tue, 5 May 2009 23:46:23 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=dn0aKl3OCY2vMzTJEJpQTRQKxhIVHTZjKE/akntU4ok=; b=qPevmKx6muYXQCHMUb6cLU9Oc62gzME7fo19yL4f2EDgy7dA0qebCOswpwDTa1jS7i gyykUqQCqlvW6CVXZavjwBgyOoAXGeFlR+WGybDDF6rbqohOK100CtUvw/K6JoRlx2ms nXu+tnsLLoCjHgePS1XBZISzNk/75gs+U97PI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:content-type:content-transfer-encoding; b=xWbetG8DSJRLfu83vL+c0Mso/EcyoDWa2dr/7eoyfsBRahtNKclMyDSEWOEThUlxts YfeFswmNidH+BNamCpByZaZN62QHk3RSKN47VMXO06SUSmsTaPJIZRkfC6rdtxgCgnUm c0bfFCgapN1UXmw+oH9mvmBhMFL4/uXFKBd4w=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
- Sender: stefan.frei@xxxxxxxxx
Dear all,
with research colleague Thomas Duebendorfer from Google in Zurich I've
finally had a chance to look deeper into the performance of Web
browser update mechanisms. The analysis of anonymized Google Web
server logs allowed us to compare and rank the update strategies
deployed by
Google Chrome, Mozilla Firefox, Apple Safari, and Opera. We found
considerable differences in the performance of the update techniques
deployed by each browser by measuring the share of the latest minor
version within the same major version during the first 21 days after
its release.
Chrome topped with 97% share after 21 days, followed by Firefox 85%,
Safari 53%, and Opera 24%.
However, during the first 5 days after a new release Firefox
outperformed all the others.
The paper discusses the findings and provides empirical data to
evaluate different update strategies.
Paper: Why Silent Updates Boost Security
Abstract:
In this paper we analyze the effectiveness of different Web browsers
update mechanisms; from Google Chrome's silent update mechanism to
Opera's update requiring a full re-installation. We use anonymized
logs from Google's world wide distributed Web servers. An analysis of
the logged HTTP user-agent strings that Web browsers report when
requesting any Web page is used to measure the daily browser version
shares in active use. Our measurements prove that silent updates and
little dependency on the underlying operating system are most
effective to get users of Web browsers to surf the Web with the latest
browser version. However, there is still room for improvement as we
found. Google Chrome's advantageous silent update mechanism has been
open sourced in April 2009. We recommend any software vendor to
seriously consider deploying silent updates as this benefits both the
vendor and the user, especially for widely used attack-exposed
applications like Web browsers and browser plug-ins.
Authors:
- Thomas Duebendorfer, Google Switzerland GmbH
- Stefan Frei, Communication Systems Group, ETH Zurich, Switzerland
Paper Download:
http://www.techzoom.net/silent-updates
Paper Blog
http://blog.techzoom.net/2009/05/silent-updates-vs-loss-of-control.html
Cheers
Stefan Frei & Thomas Duebendorfer