Using data collected by Google from January 2007 to June 2008, the researchers compared the major and minor version numbers of the browsers used by visitors with the most up-to-date version of their software at that time. Their findings: More than 45 percent of Internet users, or about 637 million people in June 2008, use a browser that has security holes that could be plugged by the latest patch.

The research shows that Internet users need to start looking at software programs as if they come with an expiration date, said Stefan Frei, the lead author on the study and a PhD student at the Swiss Federal Institute of Technology at Zurich (ETH Zurich).

"We need security awareness," Frei said. "The threat environment is more like the food industry -- no one would bite into a three-month-old sandwich."

Over the past two years, online criminals have increasingly focused on compromising legitimate Web servers to seed the hosts with malicious code in an attempt to compromise visitors' computers. By leaving behind malicious iframe or Javascript code, the compromised servers can exploit vulnerabilities in out-of-date browsers to take control of visitors' systems. In April, for example, attackers seeded tens of thousands of legitimate Web pages with code designed to compromise victims' computers.

The study is the first to estimate the actual number of users surfing the Web with vulnerable browsers from global data. The researchers -- Frei and Martin May from ETH Zurich, Thomas Duebendorfer from Google Switzerland, and Gunter Ollmann from IBM Internet Security Systems -- estimate that the data provided by Google covers 75 percent of all Internet users. The authors stressed that the data did not include any personally-identifiable information.

The researchers compared the version numbers sent by visitors' browsers, known as the user agent field, with the most current patch information at the time. Since Microsoft's Internet Explorer only broadcasts the major version number -- calling itself IE6 or IE7, for example -- the authors of the paper set a lower bound on the number of insecure browsers by counting the number of visitors using an older major version of their favored browser. From that data, they found that 41 percent of Internet users, or about 576 million people, were not using the latest major version of their browser, defined as Microsoft's Internet Explorer 7, Mozilla's Firefox 2, Apple's Safari 3, or Opera 9.

Using data collected from Google -- and estimates from security firm Secunia of the fraction of systems running the latest version of Internet Explorer -- the researchers found that another 4 percent of people using the most recent major version of a browser had still not applied the latest patches.

The study also found that some browsers instilled far better security habits than others. Microsoft's Internet Explorer -- which had the greatest market share, about 78 percent, according to data from TheCounter.com -- had the most out-of-date software among its users, with only 48 percent using the latest version of Internet Explorer 7. Mozilla's Firefox, which claims about a 16-percent market share, had a much more up-to-date user base, with more than 83 percent of all Firefox users surfing with the latest version.

Microsoft's varied user base sometimes has reasons for not upgrading immediately, a spokesperson for the company told SecurityFocus.

"With hundreds of millions of IE users, Microsoft recognizes that some may have reasons for not being able to immediately upgrade," the spokesperson said. "To assist this population, Microsoft does not end-of-life browser support for legacy versions shortly after a new IE release."

The authors of the browser study, however, argued that Firefox's simple update mechanism resulted in the users of the browser updating much more quickly than the users of rival browsers. Within three days of releasing a patch, for example, more than 80 percent of Firefox users upgrade the software.

"We did a lot of work to make the program's update mechanism as simple as possible," Window Snyder, Mozilla's chief security officer, told SecurityFocus.

Opera users patched the software much more slowly, with only 56 percent of users patched within the first 11 days. While Firefox can be upgraded with a single click, Opera refers users to the company's site where they can download the update and install it.

"It is not complicated to do for you and for me, it is just five clicks," ETH Zurich's Frei said. "But those five clicks are a giant barrier for most users."

In addition, Mozilla's Snyder pointed to the software's ability to save the user's current pages, so that, upon a restart, the program starts up where the user left off.

A spokesperson for Opera pointed out that the software does have automated update notifications, but said the company is exploring ways of improving the update process.

"We know many people choose Opera because of our long security track record," the spokesperson said. "We intend to continue evolving methods of keeping them as secure as possible when they use any Opera product."

However, the authors of the study suggested that all the browsers adopt some notification scheme to tell users that their browser is no longer current. Such an expiration date, similar to the "Best by" date on food, would notify users that their browser may not be current, said Frei.

"If I give you two screenshots of Firefox -- one from today and another from three months ago, you cannot spot the difference," he said. "If there is a clear message somewhere on the browser, then I might think twice before logging onto my bank."

The authors also contended that all browsers have another issue: Making sure that all users are running the latest versions of any plug-in features for their software. While Firefox has adopted authenticated channels for updating the plug-ins, Frei stressed that finding a way to authenticate the sources of plug-ins and checking for the latest patches is a must.

"Even under the best update circumstances, it still takes three days to get to an 80-percent patch level," Frei said. "Now imagine that across all the plug-ins ... and you have a problem."

If you have tips or insights on this topic, please contact SecurityFocus.