Firefox (In)Security Update Dynamics Exposed

Stefan Frei Thomas Duebendorfer Bernhard Plattner stefan.frei@ thomas.duebendorfer@ plattner@ tik.ee.ethz.ch google.com tik.ee.ethz.ch Swiss Federal Institute of Technology (ETH) / Google Switzerland GmbH Zurich, Switzerland http://www.techzoom.net/risk

ABSTRACT access the computer of the end-user or to install any kind Although there is an increasing trend for attacks against of monitoring software on it. Our key idea is to exploit the popular Web browsers, only little is known about the actual information in the HTTP user-agent string in order to mea- patch level of daily used Web browsers on a global scale. sure the distribution and evolution of the patch level of the We conjecture that users in large part do not actually patch Firefox population. This information is readily available in their Web browsers based on recommendations, perceived the log files of most Web servers. For this research we ana- threats, or any security warnings. Based on HTTP user- lyzed anonymized log files of Google’s search and application agent header information stored in anonymized logs from servers, covering 75% [10] of the world’s Internet users for Google’s web servers, we measured the patch dynamics of more than a year. We measured the distribution and dy- about 75% of the world’s Internet users for over a year. Our namics of major and minor version updates in the Firefox focus was on the Web browsers Firefox and Opera. We population. We focused on Firefox as this is the most pop- found that the patch level achieved is mainly determined by ular browser with detailed version information available in the ergonomics and default settings of built-in auto-update the HTTP user-agent string. Internet Explorer only reveals mechanisms. Firefox’ auto-update is very effective: most the major version of the browser, which does not reflect users installed a new version within three days. However, the patch level. The main contributions of this paper are the maximum share of the latest, most secure version never the presentation of a new measurement methodology and exceeded 80% for Firefox users and 46% for Opera users an analysis of the update process of a large population of at any day in 2007. This makes about 50 million Firefox Firefox users. Firefox’ auto-update mechanism is found to users with outdated browsers an easy target for attacks. Our be very effective when enabled: most users update to a new study is the result of the first global scale measurement of version within three days. However, the maximum share of the patch dynamics of a popular browser. the latest most secure version of Firefox never exceeded 80% at any day throughout 2007. The maximum share of the latest minor versions is limited by the much slower migra- Categories and Subject Descriptors tion speed between major versions of the same Web browser. C.4 [Measurement techniques]: Miscellaneous Compared with Opera, another free browser with a different ; C.2.3 [Network monitoring]: Security update strategy, we found that the design and ergonomics of the update mechanism plays a key role for good patch per- General Terms formance. We found that the severity of a vulnerability has no measurable influence on the patch adoption speed. Fur- Security, Measurement ther more, the end-of-life (EOL) of a Web browser version has a much smaller effect on the migration to the next ver- Keywords sion than bundling the software with a new operating system Web browser, Update version. In large part users are not immediately reacting if new security vulnerabilities are disclosed. 1. INTRODUCTION Web browsers are the most frequently used client applica- 2. RELATED WORK tion in the Internet. There is an increasing threat from To measure patch adoption rates, Qualys analyzed the re- attacks that take advantage of vulnerabilities in popular sults from over 30 million scans of their vulnerability scan- browsers such as Internet Explorer or Firefox. A visit to ning service. Qualys distinguished between external (Inter- a single malicious Web site with an unpatched browser is net facing) and internal machines and calculated how long it enough to get compromised. Such drive-by download at- takes on average to patch against a known vulnerability. In tacks potentially result in millions of infected computers. In their paper “Law of vulnerabilities” [16] they find the half- 2007, Google has found more than three million malicious life of vulnerabilities to be 19 days on external and 62 days Web sites that initiate drive-by downloads [14]. on internal systems. Secunia reports patch level statistics How can we measure the patch level of a large population of Web browsers as a by-product of their Personal Software of Internet browsers without access to millions of end-user Inspector (PSI) [17], a vulnerability scanning tool. Based on computers? In this paper we present a new methodology the analysis of 200,000+ installations of PSI, Secunia found to measure the patch level of Firefox without the need to that 5.19% of Firefox, 11.96% of Opera, 9.61% of Internet

ACM SIGCOMM Computer Communication Review 17 Volume 39, Number 1, January 2009

Explorer (IE) 6, and 5.4% of IE7 installations miss recent Explorer, Safari, and Opera. In sum, all other user-agent security updates. However, this data reflects the state of strings accounted for less than 1% of the share and were users that deliberately installed a security tool, a minor and mostly attributed to non mainstream browsers, mobile de- biased part of the global population of browser users. In our vices, automated tools, and proxies. approach we exploit the information a browser transmits in the HTTP user-agent [2, 4] string with every page request. 4. MAJOR VERSION DYNAMICS The user-agent string usually identifies the type of browser, To assess the dynamics of Firefox (FF) major and minor the operating system used and the patch-level. Using our updates we first measure the transition between the most methodology and Secunia PSI data we analyzed the global recent major versions within our observation period. The vulnerable Web browser problem in [5] and found the share migration to the next major version of a browser usually of insecure Web browsers used to daily surf the Internet to requires a manual installation. Minor version updates are be 45%. To date the user-agent information is mainly used highly automated, depending on the type of browser. For to determine market shares of different browsers or operat- comparison, we also measure major version migrations of ing systems. The sample size of these measurements and the Microsoft’s Internet Explorer (IE), Apple’s Safari (SF), and numbers published vary considerably between the sources [7, Opera (OP). Mozilla released FF2 in October 2006. There 9, 13, 18]. Meanwhile attackers are known to use the user- were 13 updates of minor versions for FF2 and three up- agent string not for measurement but for precise exploit tar- dates for FF1.5 released in our observation period from Jan- geting [1, 12] and code injection [11]. Our method allows us uary 2007 to April 2008. In the same period, Apple re- to measure the patch adoption rate of Firefox users on a leased the new major version 3.x of its Safari browser. How- global scale, based entirely on Web server log files. Further, ever, Microsoft (IE7) and Opera (OP9) released their most our measurement is not biased as no specific user interac- recent major versions before our observation started and tion is needed. To the best of our knowledge, this is the first Google’s Chrome browser and Mozilla’s Firefox 3.0 were re- paper to exploit the information of the user-agent string to leased thereafter. measure the Web browser patch adoption rate of end-users In Figure 1 we plot the evolution of the shares of the ma- on a truly global scale. jor versions of these browsers relative to the total share of a given type of browser (all versions). Table 1 lists the release 3. METHODOLOGY dates of major versions of these browsers. For all browsers A Web browser sends the user-agent string in the HTTP we observe a high frequency component on top of the much protocol header with every request for a Web page. This slower migration rate between major versions. This compo- string contains the type and version of the browser and the nent is most pronounced in IE. We call this high frequency type of operating system the browser runs on [2, 4, 8]. To component the weekend-effect, as its periodicity follows ex- measure the number of unique browser installations active actly the weekly workday/weekend pattern throughout the on a given day we needed a way to reliably remove dupli- year. It can be explained by different preferences of end- cates resulting from multiple visits to a Web site. Relying on users for major browser versions at work during the week the client’s IP address is not sufficient as a large user base and at home on the weekend. For example, IE7 consistently surfing behind proxies is seen through a single IP address has a higher share at the weekends than during working only. For our study we relied on Google’s PREF cookie to days while the opposite is true for IE6. This relation is eliminate duplicate visits by the same browser. We ignored distorted over Christmas at the end of the year, support- the small fraction of browsers that disabled cookies due to ing our interpretation. Since the end of December 2007 we restrictive user settings. We also ignored the small possi- observe a greater amplitude in the weekly pattern of IE6 bility of cookie id collisions and the effect of users deleting and IE7. This could be explained with a sizable part of the cookies manually. While Google offers its Web search also IE population migrating over Christmas to new comput- anonymously without requiring cookies, by default users al- ers having Windows Vista and IE7 pre-installed. We find low cookies to remember their preferences. To protect user’s the weekend-effect for all major versions within the Firefox, privacy, Google was the first search engine to publicly com- Internet Explorer, Safari, and Opera population. Interest- mit back in 2007 to anonymize cookies and IP addresses in ingly, we also found a cross vendor weekend-effect between logs after 18 months and to shorten the cookie expiration Firefox and Internet Explorer, with Firefox being preferred time to two years. In September 2008, Google announced over the weekend at the cost of Internet Explorer share [6]. to anonymize logs already after 9 months. Some browsers On May 30th, 2007, FF1.5 reached the end-of-life (EOL) and browser extensions allow the user to modify the infor- and Mozilla delivered the last security patch for FF1.5. Sup- mation in the user-agent string and there are Web spider port should have ended in April but Mozilla extended the tools that impersonate a widespread browser for compatibil- lifetime of FF1.5 in order to put in place a mechanism to al- ity. There are also some proxies that change the user-agent low FF1.5 users to upgrade to the latest FF2 release as soon string. Based on the observed dynamics of this research we as the upgrade package is available. This delivery mecha- expect this effect to be small. We continuously analyzed nism was included in version 1.5.0.12, the last update for Google’s Web server log data from January 2007 to April FF15 on May 30th. Alternatively, users could manually up- 2008 with typically three samples per week, namely Mon- grade to FF2 any time using Mozilla’s download Web site. day, Wednesday and Saturday (Pacific time zone GMT-8). The impact of the EOL on the shares of FF2 and FF1.5 on Starting Oct 10th, 2007 we used daily statistics. May 30th is visible but smallish. Relatively few users chose The parser was implemented as a MapReduce [3] that to manually upgrade to FF2 as a result of the EOL of FF1.5. ran on hundreds of machines and processed more than a The release of the package to automatically upgrade FF1.5 year of anonymized Google Web server logs. It identified to FF2 on June 29th, 2007, has a much bigger impact as and counted known user-agent strings for Firefox, Internet seen in Figure 1. FF2 surpassed the combined share of FF1

ACM SIGCOMM Computer Communication Review 18 Volume 39, Number 1, January 2009

Firefox Internet Explorer

IE6 FF2 share share

FF15 IE7

FF1

2007−03−01 2007−06−01 2007−09−01 2007−12−01 2008−03−01 2007−03−01 2007−06−01 2007−09−01 2007−12−01 2008−03−01 date date Safari Opera

SF2 OP9 share share

SF1 OP8

SF3

2007−03−01 2007−06−01 2007−09−01 2007−12−01 2008−03−01 2007−03−01 2007−06−01 2007−09−01 2007−12−01 2008−03−01 date date

Figure 1: Percentage of major versions of the Firefox (FF), Internet Explorer (IE), Apples Safari (SF), and Opera (OP) browser over one year. 100% is the total of all versions of the respective browser. Major versions below 1% are omitted for clarity. and FF1.5 at the end of January 2007, about 15 month after Browser Version Released its initial release (FF1.5 is considered as a major release). Internet Explorer 6.0 2001-08-27 Throughout our observation period, Microsoft supported Internet Explorer 7.0 2007-10-18 both IE6 and IE7. We found no major discontinuities in Firefox 1.0 2004-11-09 their adoption rate. In March 2007 IE7 surpassed the share Firefox 1.5 2005-11-29 of IE6, 18 month after its initial release. Firefox 2.0 2006-10-24 Apple released the first public beta of their Safari browser Safari 1.0 2003-06-23 SF3 for Mac and Windows users on June 11th, 2007, which Safari 2.0 2005-04-19 correlates with the first large increase in the SF3 share at Safari 3.0 2007-10-26 the cost of SF2. Apple seems to have an enthusiastic beta Opera 8.0 2005-04-19 tester community that readily adopted SF3 beta (gaining Opera 9.0 2006-06-20 almost 10% in 3 days). Bundled together with Apple’s new operating system Mac OS X Leopard (10.5), SF3 increases Table 1: Release of major browser versions. its market share on October 26th, 2007. However, the fastest We find that bundling browser updates with existing auto- rise in SF3 market share starts on November 16th, 2007, mated update mechanisms has a major impact on migration when SF3 is bundled with an update of the then prevalent speed. Upgrading to the next major version of a browser Mac OS X Tiger (10.4). software is often intentionally delayed due to compatibility SF3 surpassed the share of SF2 in the last days of Novem- issues with critical e.g. intranet applications. ber 2007, which is very fast compared with 18 and 15 months for IE and FF respectively. However, in contrast to IE and FF, the share of SF1 was still above 10% at that time. The 5. MINOR VERSION DYNAMICS Opera community is only slowly migrating to the next major In Figure 2 we plot the detailed update dynamics of minor version. More than 18 months after the release of OP9 we versions of the free browsers Firefox and Opera released in still found more than 10% share of OP8, which is no longer 2007. We compare Firefox and Opera because both browsers supported. are available for free, both are capable to run on multiple operating systems, and both are independent of any operating system vendor. Both browsers provide minor version infor-

ACM SIGCOMM Computer Communication Review 19 Volume 39, Number 1, January 2009 ACM SIGCOMM Computer Communication Review rmF . oF .,a hw nFgrs1ad2 Minor 2. and 1 Figures in shown as 2.x, ( FF versions to 1.x FF from n h hr ftems eetvrinstrtsa about population Firefox at users the saturates by Opera achieved version level for recent the days most below well 11 the 40%; about of share is the phase the and average rise On initial Firefox. fast i to adoption first compared initial Opera the for the However, distinct slower two much within rate. observe adoption dynamics we the Firefox, in update phases with the As to population. There difference Opera versions. striking minor frequency a of high dynamics a is as update visible the Fire- also in of is oscillation weekend dynamics The the dominate updates. clearly fox time) any at version at hratrteaoto aei iie ytemuch the by limited equally is share users rate of loses adoption migration version after slower the days minor Thereafter 3 last within the fast. patch while new release a slower its installed much both users a fast, We for of by adopt followed users majority rate users. Firefox rise by adoption thereafter. initial installed adoption the fast continuing is very of it a regimes time browsers: distinct the availability two and the update found Explorer. between new Internet delay a unlike the of measure string, we user-agent Essentially, the in v mation all of total the is days. 100% 30 (right). before days replaced 30 got first the for version iue2: Figure ees fnwmnrversions. minor new of release share share

070−120−70 2008−01−01 2007−07−01 2007−01−01 0.0 2008−01−01 0.2 0.4 0.6 2007−07−01 0.8 1.0 2007−01−01 0.0 0.2 0.4 0.6 0.8 1.0 N Left: n ( and ) 2.0.0.2 2.0.0.3 Opera minorversiondynamics ecnaeo io eso pae o ieo n pr in Opera and Firefox for updates version minor of Percentage N 9.20 − Firefox minorversions )(ih( (with 1) ewe ao versions major between 2.0.0.4 9.21 date date 2.0.0.5 N 9.22 2.0.0.6 Right: en h otrecent most the being ) 9.23 2.0.0.7 ecnaeo h hr omlzdt h ees date release the to normalized share the of Percentage 2.0.0.8 9.24 2.0.0.9 2.0.0.10 fFirefox of 2.0.0.11 9.25 the s . 20 share share ayue eiin n oeta e clicks. ten than requirin more typically and browser, decisions the man- user complete of many a of install as and update procedure download An same ual rights. the a essentially administrative with is with updated Opera run be if can click Firefox single auto-update browser. the the of ergonomics of and functionality rat design adoption dif- the initial no by the risk governed is that low is conclude and there We high between E.g. updates. rate security adoption Opera. patch and be the Firefox in risk ference security for the both of fixed, independent adoption ing is the versions that minor revealed of measurement rate Our issues. curity i e esosi 2007, in versions new rele Opera six vulnerabilities. security address versions new byln fe h ees fvrin( version of release the after long ably dioisfrFrfxadrlae e e io versions minor new ten released and 2.0.0.2 Firefox for advisories insecur older, is a to browser. stick that versions their users means of older Opera This versions the these of population. of part Opera considerable share the within of slow loss very further decay, fast 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 n20,teMzlaFudto ulse 9security 39 published Foundation Mozilla the 2007, In ute,odrvrin ( versions older Further, 01 02 30 25 20 15 10 5 0 01 02 30 25 20 15 10 5 0 rin ftersetv rwe.Sm versions Some browser. respective the of ersions to 2.0.0.11 Dynamics 0−30daysafterrelease Dynamics 0−30daysafterrelease Firefox 0to30days Opera 0to30days days sincerelease days sincerelease ftebosrF2 ih fteeten these of Eight FF2. browser the of 07 etcllnsdpc the depict lines vertical 2007, 9.20 N Volume 39, Number1,January 2009 − to 1 N , 9.25 − l fwihfi se- fix which of all , 2 N .. , .Atra initial an After ). t ess remark- persist ) 0 = ftenew the of ased g e e - ACM SIGCOMM Computer Communication Review ed ob ntle rt hc nrdcsaba nthe in bias a introduces which first, measured. installed that population agent be fact software a to the the on of to needs relies cooperation attributed measurement any Secunia’s need be not user. can does difference mentioned measurement our This as that [17] 2. times (PSI) Section four Inspector in Software about wit remained Personal an found Secunia Opera their indicate what 11th than for 2007. numbers populatition April vulnerable share in These larger on browser day 9.20 35%. any secure Opera below on most of Opera the release the for 2007, after 46% worse, and Even Firefox for with the 80% relation version the show browser in that web plots secure found browser most These We either cycle. of of 3. update close-up risk Figure the a increased in Opera of 2007 for of periods and half year second whole the the plot we Firefox hr ftems eue( otrcn)bosrversion browser recent) most daily (= the secure measured we most extent ( exposure the the assess risk of To this share of browser. evolution their and of version outdated an DYNAMICS INSECURITY 6. N n sr r xoe oscrt ik hnsrn with surfing when risks security to exposed are users End o ieo n pr hogotteya 07 For 2007. year the throughout Opera and Firefox for ) epciebosrshare. browser respective iedpcstepeiu version previous the depicts line iue3 vlto ftesaeo h otrcn versions recent most the of share the of Evolution 3: Figure share share 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 070−120−40 070−120−00 2008−01−01 2007−10−01 2007−07−01 2007−04−01 2007−01−01 2nd latest(N−1) latest (N) sum (N)+(N−1) 2nd latest(N−1) latest (N) sum (N)+(N−1) 070−120−00 2008−01−01 2007−10−01 2007−07−01 2.0.0.2 9.22 natv s ee exceeded never use active in 2.0.0.3 aiu hr fthe of share maximum 9.23 Firefox mostsecureversions Opera mostsecureversions ( N − 1) 2.0.0.4 ftebosr 0%i h oa falvrin fthe of versions all of total the is 100% browser. the of h 21 date date

2.0.0.5 ag rwe ouainbsdo e evrlg only. logs server Web on based population browser large a CONCLUSIONS 7. old package. the software of popular bundling Firefox a versi the with where be latest version might the 2007, Firefox reason version of possible December secure share A FF the of 2.0.0.11. into the end eats of to significantly drop 2.0.0.2 a web mid plug-ins. noticed a from insecure we of through share note, version side vulnerable a latest be As the still Thus, can mus browser separately. which are plug-ins patched analysis browser be our insecure in to are included due attackers Not vulnerabilities version. threat: regardle software blindly, the vulnerabilities reported exploiting mitigate try not to user known does the in Suppressing header information attacker. version agent any browsers for the target obfuscating easy vir or protection an anti are of consider- systems, users layers a prevention these further is intrusion Without this proxies, 15] (security threat. [14, security popularity browsers and web able number against the attacks Given of surfing. while to exposed epeetda ehdt esr h ac ee of level patch the measure to method an presented We are users end that risk significant the reveals analysis Our 2.0.0.6 9.24 ( N ) fFrfxadOea h dotted The Opera. and Firefox of 2.0.0.7 2.0.0.8 2.0.0.9 Volume 39, Number1,January 2009 2.0.0.10 2.0.0.11 9.25 sof ss us) on t -

No cooperation of the user or any installation of monitoring [2] T. Berners-Lee, R. Fielding, and H. Nielsen. software is needed for our measurements. Using anonymized Hypertext transfer protocol – HTTP/1.0. RFC 1945, logs from Google’s worldwide search and application Web Internet Engineering Task Force, May 1996. sites, our presented analysis is of truly global scale covering [3] J. Dean and S. Ghemawat. MapReduce: Simplified approximately 75% of the Internet users for more than a Data Processing on Large Clusters. In year. When observing Firefox update dynamics, we could Communications of the ACM, vol. 51, no. 1 (2008), differentiate two phases: a fast initial adoption of a new ver- pp. 107-113. ACM, 2008. sion, and then a slower continuing adoption limited by the [4] R. Fielding, J. Gettys, J. Mogul, H. Nielsen, and major browser version migration. The Firefox update dy- T. Berners-Lee. Hypertext transfer protocol – namics measurements revealed that despite the single click HTTP/1.1. RFC 2068, Internet Engineering Task integrated auto-update functionality, rather surprisingly, one Force, Jan. 1997. out of five Firefox users surfs the Web with an outdated [5] S. Frei, T. Dübendorfer, G. Ollmann, and M. May. browser version. This results in millions of vulnerable Web Understanding the web browser threat. Technical surfers that can easily be attacked by drive-by downloads. Report 288, ETH Zurich, June 2008. For Opera, more than half of all users stay with an out- [6] Frei, S., Dübendorfer, T., Plattner B. Repository of dated version. This is likely due to the higher complexity of high-resolution browser update dynamics plots. the update mechanism of Opera, requiring extensive interac- http://www.techzoom.net/risk. tion and many decisions from the user. Firefox’ auto-update [7] Janco. Browser and OS Market Share White Paper. mechanism is far superior in terms of speed and maximum http: new version adoption with 80% for Firefox compared to 46% //www.e-janco.com/Samples/BrowserSample.pdf, for Opera. We highly recommend that software security Apr. 2008. updates for end-users are deployed in an automatic fash- ion with minimal user involvement in order to minimize the [8] Mozilla Foundation. User-Agent Definition. http://www.mozilla.org/build/ vulnerable software population. Given that browser plug-ins revised-user-agent-strings.html can also be vulnerable, our measurement provides a lower . bound for the actual vulnerable population. [9] Net Applications. Browser Market Share. http: Finally, we observed that up to 5% of the Web surfers tend //marketshare.hitslink.com/report.aspx?qprid=3, to use newer browser versions (e.g. IE7 vs. IE6) at home on Jan. 2008. the week-end compared to at work during the week. We call [10] Net Applications. Search Engine Market Share. this the week-end effect. Our measurement of Web browsers’ marketshare.hitslink.com/report.aspx?qprid=4, migration dynamics shows that automatic mechanisms to Apr. 2008. deliver upgrades (e.g. bundling a new major version with [11] Ollmann, G. User Agent Attacks. an operating system upgrade) outperform mechanisms re- http://www.technicalinfo.net/blog/security/ quiring user interaction. We found that the severity of a 20080121_UserAgentAttacks.html. vulnerability has no influence on the patch adoption speed [12] Ollmann, G. X-Morphic Exploitation. and the end-of-life (EOL) of a Web browser version only has http://www.iss.net/documents/whitepapers/IBM_ a small effect. ISS_x-morphic_exploitation.pdf. In large part users are not immediately reacting to rec- [13] OneStat. Web Analytics. ommendations of Web browser producers or when new se- http://www.onestat.com/html/aboutus_ curity vulnerabilities are disclosed. A more user friendly pressbox53-firefox-mozilla-browser-market-share. update process and a reduced frequency of needed software html. updates has the potential to dramatically reduce the number [14] N. Provos, P. Mavrommatis, M. A. Rajab, and of poorly patched systems worldwide. F. Monrose. Google Technical Report: All Your iFRAMEs Point to Us. http: 8. ACKNOWLEDGMENTS //research.google.com/archive/provos-2008a.pdf, We would like to thank Tom Dillon, Niels Provos (both 2008. from Google), Gunter Ollmann (IBM Internet Security Sys- [15] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, tems), Martin May, and Daniela Brauckhoff (both ETH and N. Modadugu. The Ghost In The Browser - Zurich), and the anonymous reviewers for their valuable Analysis of Web-based Malware. In Proceedings of feedback for this paper. HotBots 2007, Usenix, April 2007. [16] Qualys Research Report. Laws of Vulnerabilities. 9. REFERENCES http://www.qualys.com/docs/Laws-Report.pdf. [17] Secunia. Personal Software Inspector (PSI). [1] Baumgartner, K. Storm 2007 - Malware 2.0 has http://secunia.com/blog/17/. arrived. http://www.virusbtn.com/pdf/conference_ [18] TheCounter.com. Web Analytics. slides/2007/BaumgartnerVB2007.pdf. http://www.thecounter.com/stats.

ACM SIGCOMM Computer Communication Review 22 Volume 39, Number 1, January 2009