New research from Kaspersky reveals that 34% of Firefox users do not have the latest version of the browser installed. In addition, when a new version of Firefox is released, it takes 27 days for the majority of users to make the upgrade.
Given that Mozilla release a new version of Firefox every 6 weeks, most users are only just managing to upgrade to the (more secure) latest version before another new version is released…
As cybercriminals can move to exploit known browser vulnerabilities within hours, most Firefox users are therefore at (unnecessary) increased risk for 4 weeks out of every 6.
Comparison With Other Browsers – If 34% of Firefox users are at risk from an outdated browser, how does that compare with users of major rivals, Chrome and IE?
- Chrome – only 20.3% of do not have the latest version installed – a much smaller percentage than Firefox users.
- IE – only 19.8% of users do not have the latest version (IE9) installed – however, if you include IE8 (the latest version available for XP), then that percentage drops to just 3.9%
IE users come out top for using the latest version. Chrome users are a close second whilst Firefox users (34%) appear to lag way behind. It is also worth considering to what extent an outdated browser is actually an obsolete browser – are users who do not have the latest version just late in updating from the previous version or are they months out of date? Kaspersky define obsolete browsers as all those before the previous version.
The research data is from August 2012 so, at the time of the study, the following were considered obsolete: Firefox 13 and earlier, Chrome 19 and earlier, IE7 and earlier.
- Chrome – obsolete versions were used by 4.9%
- IE – obsolete versions were used by 3.9%
- Firefox – obsolete versions were used by 22.7% (even worse, 10% were using Firefox 9 or earlier so are at least a year out of date)
Once again, IE and Chrome have very few users of obsolete versions whereas more than a fifth of Firefox users are stuck on an obsolete browser which is both outdated and insecure.
Firefox ESR Exception? Firefox does offer an annual ESR (Extended Support Release) version aimed at organizations who do not want to upgrade every 6 weeks – this is currently Firefox ESR 10. Although ESR 10 may not include all the latest features, it does include regular security updates so it cannot be considered obsolete or outdated. It is unclear from Kaspersky’s study whether their figures for ‘obsolete’ versions (Firefox 13 and earlier) include ESR 10.
However, in the study, Firefox 10 only accounts for 1.9% of users anyway – even if the study does not differentiate between ESR and standard Firefox 10 users, the total percentage of users with an outdated Firefox could only be a maximum of 1.9% higher than it ought to be.
Why Are So Many Firefox Users Lagging Behind? There could be many reasons (e.g. they prefer the older user interface) but a major cause must be the fact that Firefox makes it so easy to disable automatic updates…
- Chrome provides no option in the user interface to disable automatic updates (it is possible via a registry tweak).
- IE provides no option in the user interface to disable automatic updates. It receives updates from Windows Update which is set to update automatically by default.
- Firefox does provide a simple option to disable updates in the user interface – via Tools \ Options \ Advanced \ Update as shown below:
Giving users a simple way to disable Firefox updates is a security risk – it may explain why 34% of them are still using an outdated or obsolete version. To improve security, Mozilla should remove this option and reset updates to automatic – power users could probably use a manual workaround whilst users who do not like 6 weekly changes could switch to the ESR version for annual updates.
Are you using the latest version of Firefox – if not, why not? Let us know in the comments.