Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland.

The study, published Tuesday, is one of the most comprehensive analyses of what versions of Web browsers people are using on the Internet. The study was conducted by researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services.

Web browsers are often a weak link in the security chain, as software vulnerabilities can make it easy for hackers to gain control of a PC. When that happens, hackers can perform malicious acts such as stealing personal data or turning PCs into spam-spewing drones.

What the researchers found is that although software vendors provide patches for security problems, it can take days, weeks or months before people update their applications. In the meantime, those users are at risk.

But it's not entirely the fault of users, since Web browser vendors haven't exactly made patching easy, said Stefan Frei, a doctoral student at the institute, which is known as ETH Zurich, and one of the report's authors. The Web browser is still fairly young technology, and the industry has yet to settle on a dominant, well-tested design, he said.

The study looked at search and Web application server log data provided by Google to see what versions of the Firefox, Opera or Safari browsers people were using, Frei said.

Microsoft's Internet Explorer, however, only tells Web servers what major version a person is using, such as IE 6 or IE 7. The researchers relied on data from people who have installed a tool on their PC called the Personal Software Inspector, from Danish security company Secunia that can detect incremental versions of IE, Frei said.

Firefox users were the best at upgrading: 83.3 percent are using the latest version (the study just looked at Firefox 2.0). For Apple's Safari, 65.3 percent use the latest version; 56.1 percent for Opera, and 47.6 percent for Microsoft's Internet Explorer.

Mozilla's Firefox came out on top due to its auto-update feature, which tells a user a new patch is available and offers a one-click way to upgrade. Within three days, most Firefox users are up to date, the study said.

Frei recommends that all browser makers put in an auto-update feature since the process now is cumbersome and slow.

Now, Opera users are told there is a new version, but they have to go to Opera's Web site and go through the same installation process as if they had initially downloaded the browser for the first time, Frei said.

Safari uses an external updater that only polls for updates at certain intervals. Microsoft's updates are distributed on the second Tuesday of the month. Those gaps in time between when a vulnerability is publicly disclosed and a person patches is crucial, as they're an open window for an attack.

The problem with lax patching falls squarely on the shoulders of the application vendors -- users often simply can't visually tell if their browser needs to be upgraded, Frei said.

He advocates software vendors take a cue from the food industry and put an "expiration date" right on top of the browser to let people know the browser's state. For example, a warning could appear beside the address bar: "145 days expired, three patches missing"

"It's a non-technical suggestion," Frei said. "How can you expect people that they run the update if they don't even know? We think it's the same as having a speed limit on a highway."

Even search engine companies such as Google could display the same warning above search results, as the browser version is transmitted to its servers when someone performs a query, Frei said.

Alternatively, security companies could make application version scanning part of their consumer products, which they have done for some enterprise-level software, Frei said.

But the problem of out-of-date browsers pales in comparison to the quagmire of plug-ins, which add extra functionality to the browser, such as Adobe's Flash and Apple's QuickTime multimedia program.

On average, people have between six to 10 plug-ins, many of which come from different vendors with different patching regimes and schedules, Frei said.

"The browser is the bread, and even if the bread is fine, if the ham is rotten, you have a problem," Frei said.

Just one software vulnerability in a plug-in can put a person's PC in danger. Frei is proposing that an organization such as a national Computer Emergency Response Team create a service where browsers can verify if it has the latest version of a plug-in.

Besides Frei, the study was also conducted by Thomas Dübendorfer of Google, Gunter Ollmann of IBM Internet Security Systems, and Martin May from ETH. The study will be presented at the Defcon security conference next month in Las Vegas.

A recently discovered security flaw that would allow access to a locked iPhone will be fixed next month, Apple said on Thursday.

"The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September," Apple representative, Jennifer Bowcock, said in an email to Macworld.

[ Special reports: IT's guide to the iPhone |  Apple launches the iPhone 3G ]

The security flaw allows access to a locked iPhone by pressing the emergency call button at the unlock screen, followed by two taps on the home button. That will take you to the iPhone's private 'favorites' page without the need to enter the unlock code. If the owner of the phone has favorite entries in their address book containing URLs, e-mail addresses, or mobile phone numbers, then those entries can be used to launch the browser, mail application or SMS software and gain access to private Web favorites, e-mail messages and text messages stored in the phone, again without entering the unlock code.

Bowcock offered some advice to protect your phone until the software update is released. She said you can set the iPhone so that double-clicking the home button will take the user directly to the home screen, which if password protection is turned on, will be the unlock screen.

Fixing performance issues that have plagued previous versions of its Windows client OS and Internet Explorer (IE) browser are key development goals for the next versions of those products, Microsoft has revealed in company blogs.

IE 7 and Windows Vista have had serious performance problems early on that have alienated users and damaged the reputations of the products. Some IE users switched to Mozilla Firefox because of IE 7's frequent crashes and performance glitches, while Vista's bugs, incompatibility problems and other issues have been well-documented.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

Microsoft is paying close attention to performance in Windows 7 and IE 8 as it develops both products, the company revealed in separate internal blogs about each product, "Engineering Windows 7" and "IEblog."

"We've re-dedicated ourselves to work in this area (performance) in Windows 7 (and IE 8)," according to the Engineering Windows 7 post. "This is a major initiative across each of our feature teams as well as the primary mission of one of our feature teams."

The company has an uphill battle to improving performance, particularly with Windows 7, said one analyst.

"I'm not surprised they're going to focus on performance," said Mike Cherry, an analyst with Directions on Microsoft. "I'm somewhat skeptical how much improvement they're going to make at this point."

He suggested Microsoft consider performance for Windows 7 the way it approached security when the company decided to make that a key priority for Vista. When Microsoft decided security was integral to the OS, the company engineered Vista so "every feature has a security attribute to it," Cherry said.

Similarly, the company should make performance such a priority that "anyone checking any code into Windows 7 not only has to make sure it's the most secure code and the most reliable code, but they'd better be addressing the performance of the code as well," he said.

While performance is made up of "many elements," the Windows 7 team is focusing on six areas of improvement in Windows 7, according to the post. They are memory usage, CPU utilization, disk I/O, the boot-shutdown-standby-resume feature, the base system, and disk footprint.

CPU utilization in particular is a problem in Vista, and could use improvement in Windows 7. Cherry said he runs a 32-bit version of Vista on a PC with a 64-bit processor and 2GB of RAM. However, when he starts his Outlook e-mail client, it uses 100 percent of his CPU resources for more than a minute and a half. "It blows me away," he said of the problem.

Indeed, Microsoft said a key engineering goal for Windows 7 is to "keep the CPU utilization low as that improves multi-user scenarios as well as reduces power consumption," according to the Windows 7 blog post.

The focus of IE 8 improvements, according to the IEblog post, will be how to make pages and images load faster for "everyday" browsing. This will require improvements to scripting, the rendering engine and networking improvements, among others, the company said.

Microsoft has said it expects to release Windows 7 in early 2010; however, the company has not provided a time frame for the final release of IE8, though it is safe to say it likely will be a part of the Windows 7 release. Microsoft released IE8 beta 2 on Wednesday.

Google unveiled on Thursday its plans for a store where mobile users can find Android applications, a concept similar to the iPhone's App Store.

The first handsets running Android, expected to appear later this year, will include a beta version of the Android Market, Google's Eric Chu wrote in a blog post. Initially, users will at least be able to find free applications there. After that, Google expects to update the Market to allow users to buy and download paid content.

[ Special report: Google Android: Invader from beyond ]

The Market will feature a feedback and rating system similar to that used in YouTube, Chu said.

Developers can add their applications to the market by registering as a merchant, uploading the content, and publishing it. Google expects to add features for developers after the initial launch, including a dashboard where developers can find analytics information about their content. Developers will also be able to upload different versions of their applications that might work better on different devices.

Android followers have wondered how Google might support application distribution. Its Android Market is a similar concept to Apple's App Store, but differs in some ways. For instance, because all iPhones run on the same software, developers don't have to create different versions for different phones. Android is open, and handset makers may decide to include different hardware capabilities or opt not to support all Android features, which has an effect on the way applications work.

Historically, the mobile market has struggled with how to best sell and distribute mobile applications. Prior to the iPhone, the best way for an application to become widely used was for a developer to convince an operator to pre-load it onto a phone, a challenging accomplishment. Mobile phone users only very seldom download applications to their phones.

Due to the three outages that Gmail suffered earlier this month, Google will extend a credit to all paying customers of its hosted Apps suite and has vowed to improve its problem-notification methods.

In an apologetic e-mail sent Wednesday to Apps Premier administrators, Google said it will automatically extend annual subscriptions by 15 days at no extra charge. Apps Premier subscriptions cost $50 per user per year. This 15-day extension is the maximum credit of the 99.9 percent uptime service level agreement Google offers Premier customers for Gmail.

"We're committed to making Google Apps Premier Edition a service on which your organization can depend. During the first half of August, we didn't do this as well as we should have," reads the letter.

One outage, on Aug. 11, lasted about two hours but affected almost all Apps Premier users. The other two, on Aug. 6 and Aug. 15, hit a small number of Apps Premier users, but both outages were lengthy, lasting for some affected users more than 24 hours. In all of the incidents, users were unable to access their Gmail accounts, getting instead an error message when trying to log in.

In Wednesday's letter, Google said that system reliability is a top priority and that, although it can't promise zero downtime, it commits to solving outages quickly. "More importantly, we promise you focused discipline on preventing recurrence of the same problem," the letter reads.

In addition, Google plans to improve the way it informs Apps Premier administrators about system problems via a new dashboard that will become available in a few months.

That dashboard will provide descriptions of problems, especially of their impact on users; a regularly updated estimate of when the issues will be resolved; and, if necessary, a formal report within 48 hours of the resolution. The report will describe the incident, explain its cause, list corrective and preventive actions taken, and provide an outage timeline.

Google officials will also make themselves available to participate in live discussions about the incident with Apps Premier administrators and their companies' managers.

The plans for fuller disclosure of problem causes, fixes and prevention plans sound good to Gartner analyst Matt Cain, but he's confused as to why Google didn't start applying these principles with this letter, which he found slim on details.

"I'd like more transparency into what actually happened and why. They don't go into that [in this letter]. That's what they should have done in this note," Cain said. "Why start in the future and not now?"

Crediting all Apps Premier customers across the board and taking proactive steps to prevent future outages were the right actions for Google to take, said analyst Rebecca Wettemann from Nucleus Research.

"These are natural growing pains for an on-demand vendor," she said. "Google is doing what it needed to do [to respond to the outages], but in fairness to Google, it's held to a higher standard in terms of uptime and availability, as are many on-demand vendors, when you compare them to internally deployed applications."

Apps comes in various versions, including the free Basic and Education editions and the fee-based Premier edition. In addition to Gmail, it includes Google hosted services like Calendar, Sites, Talk, and the Docs word processor, spreadsheet, and presentation software.

Overall, more than 500,000 businesses with 10 million active users use Apps. Hundreds of thousands of those active users have Premier subscriptions, according to Google.

With Apps, a hosted suite of communications and collaboration applications, Google is a leading proponent of SaaS, an emerging model of software delivery that backers say represents the future.

Because vendors host applications in their own data centers, companies don't have to concern themselves with hardware provisioning and software maintenance. By living in the Internet "cloud," these hosted applications simplify sharing and collaboration among employees.

However, outages such as the one Gmail experienced are among the biggest question marks regarding SaaS applications, as IT and business managers ponder whether to ditch conventional software packages that are installed on their companies' servers.

 When applications hosted by vendors go down, there is little that IT and business managers can do to remedy the situation and respond to their angry end-users.

Google Apps critics question whether the suite can really provide enterprise-grade software availability and performance and thus be a real option in large companies to conventional, on-premise options like Microsoft's Office and Outlook/Exchange or IBM Lotus Notes/Domino.

Google acknowledges that most Apps subscribers are individuals or small and medium-size organizations. However, the company has high hopes that the Premier edition, with its IT management and enterprise software integration features, will push into the enterprise market of large companies.

Google has proved it can learn from mistakes and has improved as an enterprise IT provider, Cain said. However, Gartner's advice to enterprises is to hold off on adopting Gmail as an e-mail system, and this month's outages justify that position, Cain said.

"A 24-hour outage of e-mail for many companies would be catastrophic. That indicates that our cautious approach is warranted," he said.

Before giving the green light to its customers, Gartner wants to see at least a dozen enterprise deployments of Apps Premier with at least 10,000 Gmail seats, each running successfully for six to 12 months, Cain said.

This story was updated on August 28, 2008

Aptana, which has enabled Web 2.0 development via JavaScript, Ruby on Rails, and PHP with the Aptana Studio IDE, has added Python to the mix through its acquisition of Pydev, which was announced this week.

The company plans to combine the Pydev Eclipse-based development environment with Aptana Studio, which has supported AJAX and has been downloaded nearly 2.3 million times, Aptana said. Developers now can use Aptana Studio and Pydev side by side or plug them into Eclipse. Both are open source with commercially available extensions.

"Python kind of completes the portfolio of popular scripting languages that people use to build Web apps," said Kevin Hakman, Aptana director of evangelism.

Aptana currently has no timeframe for full integration between Aptana Studio and Pydev. The company also would not reveal how much it paid for Pydev.

With Pydev, developers get capabilities for code completion and analysis, a debug console and server, and refactoring. Aptana Studio, meanwhile, supports Web development by integrating AJAX tooling with PHP and Ruby on Rails. Ruby development is supported as well.

Aptana stressed the popularity of Python, particularly Google's selection of the language for use with its Google App Engine hosted application service. "When Google gets behind something, there tends to be a lot of attention [paid] to it. We've seen an increased utilization of the Python language," Hakman said.

Through the Pydev IDE, developers can deploy and manage applications to a computing cloud via linkup with the Aptana Cloud product for cloud-based deployments.