|Internet Explorer Unsafe for 284 Days in 2006|
Brian Krebs, lead Computer Security reporter for the Washington Post has released a fascinating study of IE security issues [blog.washingtonpost.com] last year.
After compiling security information from leading security watchers, Krebs determined that for 284 days last year there was widely available exploit code available for unpatched IE issues.
|For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users. |
|In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them. |
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
i preach ff to all non-mac/*nix friends and associates primarily for the lower security profile it offers.
Surely, in hindsight, IE was vulnerable for the entire year. The vulnerabilities existed before the proof of concepts were issued.
Likewise, Firefox was probably unsafe for the entire year as well. Vulnerabilities have been found in Firefox in the past and more will undoubtedly be uncovered in the future.
Exactly how unsafe are they though? Sure, IE may be less safe, but how many users actually suffer substantial harm from these vulnerabilities? Surely most exploits are mitigated by the use of a firewall, anti-virus and anti-spyware apps.
After all, getting out of bed in the morning is unsafe too. I can think of plenty of vulnerabilities that could befall me before I even make it to breakfast. One has to keep things in perspective though.
I continue to prefer IE simply because it renders most web pages the way the authors intended them to be displayed. I went through a phase of using Firefox but gave up on it because I came across so many sites that simply didn't work on Firefox. I only use it now if I want to take advantage of a particular extension.
Sure, I could get up on my high horse and refuse to visit sites which aren't standards compliant. But really, life is too short...
|I went through a phase of using Firefox but gave up on it because I came across so many sites that simply didn't work on Firefox. |
That was true a while back, but I find that's rarely the case any more. Can't remember when I last came across a site where I have to throw in the towel and use IE.
amen stu... well put.
|aren't standards compliant. |
New York Times [validator.w3.org]
Sheesh, Brett. I don't know how to put this, but [validator.w3.org]...
You'll be happy to know these ones validate:
Wouldn't it be embarrassing if this one failed? [validator.w3.org]
That being said, I use FF all the time, and very, VERY rarely encounter a site it can't render properly. It is a Web designer's dream browser, and knocks IE into a cocked hat.
|but how many users actually suffer substantial harm from these vulnerabilities |
Stu, using a browser with more active vulnerabilities just because it renders better is ill advised. I'm on a couple of botnet mailing lists (people that FIGHT them, not people that run them) and the number of compromised machines out there is scary.
Not that FF or Opera are more secure, they just have fewer active exploits sitting on websites waiting for the right opportunity.
I can show you one webhost with hundreds (thousands?) of infected websites just waiting to attack your browser.
If one of the exploits is successful, they might even install a line like "127.0.0.1 liveupdate.symantec.com" into your hosts file, and then the REAL fun starts.
FWIW, I just spent a couple of weeks fighting a botnet attacking one of my servers and about half of the botnet was other servers, the other half came from DSL and cable modem IP addresses.
Enjoy your rendering.
|Surely, in hindsight, IE was vulnerable for the entire year. The vulnerabilities existed before the proof of concepts were issued. |
Umm, no. There were 98 days last year during which criminals were *ACTIVELY* exploiting vulnerabilities in Internet Explorer and there was *NO* patch from Microsoft available.
Some of these times, Microsoft had a patch ready but was holding it off for their monthly Tuesday patch day, leaving users out in the cold.
|After all, getting out of bed in the morning is unsafe too. I can think of plenty of vulnerabilities that could befall me before I even make it to breakfast. |
Ha-Ha, nice work!
Agreeing with incrediBILL ... most IE users with exploited machines simply don't know how to recognize that fact. They think "this darn machine is going so slow" and "geez, every time I try to go to x website it goes to y website, stupid DSL provider".
The people who are most harmed are not those who have been exploited, unless they fall victim to identity theft (not at all uncommon) or their system becomes totally unuseable (and that is at cross-purposes to most exploiters' goals, so while the machine may slow down, it rarely becomes unuseable). The people who are most harmed are the rest of society as spam and worm propagation becomes more serious every day, thanks to those security holes and the blithe ignorance of the users whose systems have been compromised.
On a side note, IE doesn't render things well ... it renders them in its own, outside-the-standards way. If you visit sites that are not friendly to FF, it's because the developers chose to limit themselves to MSIE's way of doing things, which is not by any means the standardized way of doing things.
And it points out the general laziness of a large number of developers who can't be bothered to write their code as standards-based and then drop in a few hacks to get MSIE to render them properly, instead of the other way around.
I'm of the "security through obscurity is still security" school of thought.
I really don't think that the fundamental security of FF is any better than IE, other than FF isn't tied so deeply into the OS.
But FF isn't being as actively targeted as IE. One of the key reasons I use FF is because I see no need to paint a great big bullseye on my computer.
When FF hits 25-30% market share, we'll see it become a bigger target. Then I'll move over to Opera, or some other browser that offers the feature set I like, but with less exposure to mallware.
|I really don't think that the fundamental security of FF is any better than IE, other than FF isn't tied so deeply into the OS. |
Where does that leave you?
My impression was that most of the botnet problem was related to the (technnically needless and useless) integration of IE into Windows.
|My impression was that most of the botnet problem was related to the (technnically needless and useless) integration of IE into Windows. |
Quite true. A big part of it is the fundamental difference in the way things are approached. Microsoft let the world do anything they wanted to in the browser and has to play catch up to turn off access to each piece that's exploited. IE exposes LOTS of the holes in Windows to the world. Firefox, on the other hand, approaches things from a more security-minded point of view (should we provide access to X?). And, the fact that it doesn't heavily integrate with Windows means it isn't vulnerable to the slew of Windows issues that crop up that IE provides access to.
|When FF hits 25-30% market share |
Should be right around the corner, thanks to IE7.