Nearly one in four PC users run out-of-date or obsolete versions of the most popular browsers for a month or longer with Mozilla Firefox users the slowest to update their software, Kaspersky Lab has found.
The company looked at the browsers installed on a random 10-million sample of its antivirus user base, finding that Internet Explorer was marginally the most common default browser on 37.8 percent of users. Chrome scored 36.5 percent, Firefox took 19.5 percent, Opera 6 percent and Safari a vanishing fraction of a percent (Kaspersky's customers are overwhelmingly PC users).
Finding 36 different browser versions installed, the company noticed that across browsers only 77 percent of users were running the latest installation of a given browser.
Of the 23 percent that had not updated, 14.5 percent were using an older version (for instance Chrome v21 or v22 instead of v23) with a stubborn 8.5 percent using what could be classed as 'outdated' software (i.e. at least several months old).
This phenomenon varied from browser to browser although comparisons are hard to make because of timing differences in the upgrade cycle when the survey was carried out in August 2012.
Chrome and IE were the most rapidly updated with around 80 percent up-to-date, leaving Firefox users a bit behind on 66 percent. Revealingly, however, older and potentially vulnerable versions of Firefox were found on a surprisingly high 22.7 percent of machines.
Chrome users were the fastest to upgrade, Firefox the slowest. IE's numbers were complicated by the inability of users on the still-popular Windows XP to upgrade beyond version 8.
Drawing hard conclusions about the individual browsers was difficult beyond noting that a hardcore of users of each program seem reluctant to upgrade at all. The absolute percentages might look small - only 3.9 percent of IE's base use the hugely insecure Explorer 6 or 7 - but that might still be tens or hundreds of thousands of uses worldwide.
It could also be that some users install several browsers and then only upgrade the one they use most frequently; few realise that this represent a security risk.
"Our new research paints an alarming picture. While most users make a switch to the most recent browser within a month of the update, there will still be around a quarter of users who have not made the transition," said Kaspersky Lab's director of whitelisting and cloud infrastructure research, Andrey Efremov.
"That means millions of potentially vulnerable machines, constantly attacked using new and well-known web-born threats. This is strong evidence of the urgent need for proper security software which is able to react to new threats in a matter of minutes, not days or even weeks," he said.
Brower security has improved with faster patching by vendors, including of plug-ins, but it appears that for whatever reason patching is not enough on its own. Some users just do not update.
The need to update browsers, a function now turned on by default in all programs, remains a fact of life. Only days ago, Mozilla issued its second browser security fix in a short period, patching 16 flaws.