- 1
- 2
- < previous
Safari uses an external updater that only polls for updates at certain intervals. Microsoft's updates are distributed on the second Tuesday of the month. Those gaps in time between when a vulnerability is publicly disclosed and a person patches is crucial, as they're an open window for an attack.
The problem with lax patching falls squarely on the shoulders of the application vendors -- users often simply can't visually tell if their browser needs to be upgraded, Frei said.
He advocates software vendors take a cue from the food industry and put an "expiration date" right on top of the browser to let people know the browser's state. For example, a warning could appear beside the address bar: "145 days expired, three patches missing"
"It's a non-technical suggestion," Frei said. "How can you expect people that they run the update if they don't even know? We think it's the same as having a speed limit on a highway."
Even search engine companies such as Google could display the same warning above search results, as the browser version is transmitted to its servers when someone performs a query, Frei said.
Alternatively, security companies could make application version scanning part of their consumer products, which they have done for some enterprise-level software, Frei said.
But the problem of out-of-date browsers pales in comparison to the quagmire of plug-ins, which add extra functionality to the browser, such as Adobe's Flash and Apple's QuickTime multimedia program.
On average, people have between six to 10 plug-ins, many of which come from different vendors with different patching regimes and schedules, Frei said.
"The browser is the bread, and even if the bread is fine, if the ham is rotten, you have a problem," Frei said.
Just one software vulnerability in a plug-in can put a person's PC in danger. Frei is proposing that an organization such as a national Computer Emergency Response Team create a service where browsers can verify if it has the latest version of a plug-in.
Besides Frei, the study was also conducted by Thomas D'bendorfer of Google, Gunter Ollmann of IBM Internet Security Systems and Martin May from ETH. The study will be presented at the Defcon security conference next month in Las Vegas.
- 1
- 2
- < previous
Read up on the latest ideas and technologies from companies that sell hardware, software and services. IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
Controlling storage costs with Oracle database 11g
How to improve employee productivity in small and medium businesses
Solve Exchange Mailbox Storage Issues Once and for All
Everything you need to know about email and web security (but were afraid to ask)
Taking On Demand CRM Integration to the Next Level
Email Archiving Implementation: Five Costly Mistakes to Avoid
Email Archiving 101—Customer Case Study
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #98: The Future of Datacentre IP 18/12/2008 10:33:00
CW Live speaks withLin Nease, Director of Emerging Business for HP ProCurve, to discuss the future of networks, including the effect of IP-based storage on datacentres, new capacity requirements generated by the use of 10Gb Ethernet, and how an efficient network design can slash energy and cooling costs, and help enterprises build a "green" image. - +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport.
IT industry veteran advises caution on outsourcing selection in light of Satyam problems 2009-01-09 21:45:00+11
F-Secure Warns About a Worm Affecting Corporate Networks 2009-01-08 16:42:00+11
Research software developer appoints Susan Dart to new Business Development Director role 2009-01-08 09:08:00+11
Research software developer appoints Susan Dart to new Business Development Director role 2009-01-08 09:08:00+11
Anyware Introduce Two Powerful PCI TV Tuner Cards with S5 Power Up and Windows Media Center Remote 2009-01-07 17:30:00+11
Gaining Competitive Advantage Through Enterprise Planning
No matter how good its products or innovative its services, no organization can perform to its full potential without an adequate planning structure in place. Discover how this can be done by reading on.
