Web Browser Insecurity

A few days ago I saw a report on cross platform browser security, and the fact that a large percentage of browsers people are using are insecure, regardless of their underlying OS. The assumption of Windows being the malware magnet also widened out to include OSX and Linux. It focussed on the plugins and addons not being updated and patched frequently. While that's valid, it raises other points.

It seems like another piece aimed at downplaying Microsoft's unique position as being the undisputed market leader in malware compatibility but it's a bit of an own goal. Bugs and flaws are in all software, open or closed. Software does need regularly updated to stay as secure as possible, open or closed. Any exploits found and not (yet) patched make the system vulnerable to what that exploit can do, open or closed.

When software vendors stop supporting older versions of their stuff, and charge for newer versions it means that people who either can't afford to upgrade, or don't feel they have any extra value in upgrading just won't. If that means they're vulnerable to being included into a botnet which attacks the rest of us, they are part of the problem.

Plenty of those plugins are ubiquitous in the fact that almost every browser has them or that functionality, like Flash player, but due to the licensing nature of their creators can't be built in properly and distributed with the browsers. They are forced into being third party addons.

With open sourced software, you can easily say to someone "Firefox 2 is no longer supported, you need to remove it and install the latest Firefox 3.6" they don't have to let money factor into the decision. "Microsoft Office Word XP isn't being patched to prevent X exploit, you'll have to go get Microsoft Office 2010" involves forking over a LOT of cash, and often has the cascade effect of "not supported in this version of Windows, you need to go buy the new version of Windows too" which can cascade down the various applications you use. Proprietary software companies use the EOL (End Of Life) abandoning support as a stick to push people into forking over more cash for new versions of their software, the last thing they want is to give up that stick.

Again, those who can't afford to splash out for Microsoft Office 2010 are left with an unpatched Microsoft Office XP, either knowing or not knowing that the exploit is being increasingly used by people who will seek to harm them and their data. Constantly changing proprietary file formats are another stick used to force people to splash the cash for little to no benefit, where a version of .doc won't open in another version of Microsoft Office Word.

The alternative people use is to just download illegal versions from bit torrent or newsgroups. Those versions may or may not be clean, which also means they can unwittingly be part of the botnet problem affecting the rest of us.

Keeping software up to date is partly about end user education, like regular backups, it's partly about removing the barriers to doing it. When the underlying OS is so disparate that it means the end user has to remember to click through lots of different update processes it fails the "ease of use" test. This is where Linux shines; the package manager / repository model now being adopted with the paid options as an "app store" model works very well, it's simple, elegant and user friendly. With a couple of clicks the user can check and update their whole system.

I've lost count of the number of times in Windows where I haven't used a particular application in a while, only to find I get some error because it should have been updated a while back, and I have to detour from what I was trying to do, to update the application. When the software system is centralised this doesn't happen.

It's also much easier to educate a user to remember to do a few clicks once per week, than educate them to spend an hour clicking through lots of wizards each week. The harder or more time consuming it is, the less likely people will actually do it regularly, which means they are making their systems more insecure through lack of proper maintenance. Their lack of action is a direct consequence of the system being badly designed however, the blame should go to the people who thought a time wasting backwards system was an efficient use of people's time.

Like any agreement both parties have to move towards the other. If you make software that's easy to use and keep patched, you are moving towards the end user, it's therefore acceptable to expect them to move towards you by learning to do a basic maintenance routine. If you don't move towards them you can't expect them to move towards you. The results are "no deal" which in the case of software security, means always being insecure and putting their private data at very real risk.