Thursday, January 04, 2007

Brian Krebs on Internet Explorer Vulnerability Window

Brian Krebs posted an excellent article titled Internet Explorer Unsafe for 284 Days in 2006. Brian writes:

For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. (emphasis added)

How did the competition fare?

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem. (emphasis added)

This is exactly the sort of security metric I like to see. There are plenty of ways one could criticize these results, perhaps by asking about the underground group in Bulgaria sitting on 92 Mozilla 0-days? (just kidding) In the real world these are the sorts of numbers that best approximate our understanding of digital vulnerability. In terms of threat, Brian writes:

Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

I don't know how he measures the "98 days," but that gives you an idea of the degree to which these IE vulnerabilities were being exploited and risk moved from a probability to a certainty.

Don't just measure how many of your systems are patched. Measure how long they were vulnerable. Being patched does not mean being invulnerable, when vulnerabilities exist for which no patch is available.

Once you make these measurements, act on them. Consider alternatives. Complain to the vendor. Exercise the purse strings. Don't continue to be abused.

1 comment:

Anonymous said...

My comments aren't to downplay the Internet Explorer issues (which are many) or to discount the Firefox benefits. With that said, one concern I have about this comparison between Internet Explorer and Firefox is that its not an equal comparison on timelines. Private notification of a vulnerability to Microsoft is not the same point in time as publicly available exploit code. Without the research, I hesitate to believe that there wasn't notification to the Firefox team before exploit code was provided in at least some cases. This disparity provides Firefox with an artificial timeline benefit. Honestly, my gut-feeling on the Firefox number of 9 days seems [intentionally] entirely too low (although it is certainly possible that I'm wrong). The concern that arises from this is that there is the status quo to bash Microsoft and blindly praise OSS projects. I fear this different level of scrutiny undermines the real responsiveness that OSS projects can provide. I suggest a real level of critically be used when research both closed and open source projects, so we can see the real benefits, and not just the grandiose ones some would like us to see.