Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Internet Explorer Mozilla The Internet

IE6 Was Unsafe 284 Days In 2006 137

An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
This discussion has been archived. No new comments can be posted.

IE6 Was Unsafe 284 Days In 2006

Comments Filter:
  • by RiotXIX ( 230569 ) on Thursday January 04, 2007 @12:38PM (#17460686) Journal
    Then it might affect people who don't already know it.
    • Well, it might make it, but only if the Foundation pays for another full page advert. Let's face it, this story won't really be counted as news in less computer-orientated places - the main stream press.

      You can, of course, help however. Email this story to your friends and family. Of course, the story itself still probably won't interest people, but you can make it interesting: Your friends credit card details are at risk for using IE. Importantly, there are alternatives to IE.
      • by Duds ( 100634 ) *
        They won't do that because since there are unpatched critical flaws dating back to 2004 in Firefoix, it would be a simple matter to point out that FF was unsafe for a full 365 days. I expect that to rise to 366 by 2008.
  • by Kelson ( 129150 ) * on Thursday January 04, 2007 @12:38PM (#17460696) Homepage Journal
    Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important [alternativ...liance.com]. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.
    • If the market was free, there would be no monoculture and IE share would be close to 0%. A market for lemons would assure some people would always use IE, but most people would chose the obviously superior offerings. That IE continues to enjoy significant market share is a good indicator of continued anti-competitive practices: threats to vendors, abuse of data formats, hostility to user preference and other abuse.

      The real sting is that Microsoft continues to enjoy an OS majority share. They won't for

  • by Thansal ( 999464 ) on Thursday January 04, 2007 @12:39PM (#17460734)
    you know the drill.

    My bet is that the number that COUNTS is probably larger (also larger for FF), the number of days where there was a vulnerability that was known by malicious groups, just not publicly posted.
    • My bet is that the number that COUNTS is probably larger (also larger for FF), the number of days where there was a vulnerability that was known by malicious groups, just not publicly posted.

      True, but this only makes Firefox look better. For the most part, vulnerabilities in open source are generally publicly disclosed in forums and the like. The details of the exploit usually remain secret. Who knows how many IE security bugs MS is not disclosing or acknowledging.

      • by Thansal ( 999464 )
        Hey I got modded troll, nifty!

        What I was actualy reffering to would be the knowledge in the hands of those that want to use it for evil (or atleast naughty) purposes.

        Ok, so MS takes for ever to patch, we know this.

        FF patches relatively quickly, we know this again.

        But how long were vulnerabilities actualy LIVE (as in some one was tryign to exploit them) in the wild? That is much more interestign to me, everythign else is just sorta old hat.
        • For IE? (Score:1, Interesting)

          by Anonymous Coward
          > But how long were vulnerabilities actually LIVE (as in some one was trying to exploit them) in the wild? That is much more interesting to me, everything else is just sorta old hat.

          Most likely 365 days out of the year.

          This was based on published exploit data only, not private exploits. The people that use those like to keep them quiet so that they remain useful for a longer period of time.
        • Re: (Score:3, Insightful)

          by T-Ranger ( 10520 )
          They live in the wild for as long as the product has been shipping, of course. Unfortunately, thats not a useful number. Products ship with bugs, known and unknown to their developers. A "secure" product may eventually become "insecure" because new techniques were developed. (Yes, differing companies/groups have different methodologies/standards/reputations for producing and shipping secure products, but thats a separate discussion all together)

          A theoretically useful number would be the number of days from
      • Who knows how many IE security bugs MS is not disclosing or acknowledging.

        According to anecdotes from former MS employees, about 50-60% of all bugs with security implications are prioritized such that they are never announced publicly or fixed (across the company, not IE specific). Since they don't announce most of the ones they fix internally either, I'm guessing they have a ratio similar to most companies where you have about 1 publicly discovered bug for every 20 found internally. I'm guessing that me

    • by misleb ( 129952 )
      Indeed, it is pretty safe to assume that malicious groups either know about exploits BEFORE they are publicly posted or they know about exploits that the vendor doesn't. I mean, there is no reason to believe that only the "good guys" are discovering flaws. If I were a Black Hat, I wouldn't publicly release the exploits I knew about. I would try to keep them underground as long as possible so as to maximize their useful life.

      -matthew
  • by macadamia_harold ( 947445 ) on Thursday January 04, 2007 @12:42PM (#17460792) Homepage
    IE6 Was Unsafe 284 Days In 2006

    Of course the flip side of this story is that IE6 was safe for 81 days in 2006.

    Obviously, the solution is to shorten the year to 81 days.
    • Maybe they meant 284 business days?
    • IE6 Was Unsafe 284 Days In 2006

      Of course the flip side of this story is that IE6 was safe for 81 days in 2006.

      Obviously, the solution is to shorten the year to 81 days.
      Or only use IE during those 81 days. Use Firefox the rest of the time. Or all of the time - whichever makes you happy.
    • by peeg ( 1046652 )
      Hey now, that's almost 3 months of safety. That's like a record for IE.
    • There's a flip side: Yes, IE would be secure for a year, but be insecure for over two consecutive years. I doubt the marketing group would approve such a strategy.
  • by Toreo asesino ( 951231 ) on Thursday January 04, 2007 @12:42PM (#17460802) Journal
    1. IE != OpenSource - many eyes are better than few for finding & fixing defects.

    2. Desktop integration - across Windows 98, ME, 2000, XP and to a lesser extent Vista.

    3. Application integration - there are tonnes of apps writen either embedded in IE, or using IE as a view-port to data, screens, etc.

    All of the above (and more) make IE6 a bitch to keep updated quickly and easily. Breaking not just a browser, but OS shell, and tied-apps with a dodgy patch isn't an option for Microsoft and they know it (despite the odd rogue update that slips through the net).
    • by HappySqurriel ( 1010623 ) on Thursday January 04, 2007 @01:04PM (#17461282)
      In my opinion, one of the biggest problems Microsoft faces is that web-page structure and syntax is not handled the same way a C++ program's structure and sytax are (as an example); you can make hundreds of syntax and structural mistakes in HTML, CSS and Javascript and IE will still attempt to display your page. I could be wrong, but I heard a couple of years ago that the majority of code in web browsers was not dealing with displaying correct HTML but was dealing with correcting mistakes to display a page. If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.
      • by Kelson ( 129150 ) * on Thursday January 04, 2007 @01:32PM (#17461756) Homepage Journal
        If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.

        True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments [mozillazine.org] on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.

        Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.

        (Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)

      • Yes, but then 99.9% of the pages on the internet would not display at all. That sure is one way to get everyone to switch to firefox, have IE stop displaying all the pages. People have become used to being able to put up any old slop and having the browser struggle through displaying it. You can't just expect people to go and recode all their webpages so that they don't have invalid HTML in there. The other thing is that most of the bugs are due to Javascript or ActiveX, and have nothing to do with non-
        • Re: (Score:2, Interesting)

          by dennypayne ( 908203 )

          You can't just expect people to go and recode all their webpages so that they don't have invalid HTML in there.
          Why not? Why do we always reward mediocrity? Denny
          • by mstone ( 8523 )
            Are you volunteering?

            Why does "somebody should do something about this" always seem to mean "somebody not me"?
            • Sure, I'd volunteer to recode my webpage if it didn't display in a browser due to mediocre code. In fact I'd say my code probably is pretty sloppy, but I'm able to get away with it because the browser will still display the page. Why do I have to volunteer to do everyone else's?

              You missed my point though. The OP basically said "you can't expect people to code correctly" and my response is an observation that our society in general seems to be trending to allow that mentality of pandering to the lowest co
    • I think you're missing the main cause. Sure open source apps get more people reviewing them, but there are plenty of fairly secure closed source apps. The real problem is motivation. Microsoft has a monopoly on the desktop. Pretty much everyone buys Windows. When they buy Windows, some of that money pays IE developers. If a user decides to use Windows+Firefox, Microsoft does not lose any money. What is their motivation to make IE secure?

      So long as MS is allowed to bundle products with and tie them to their

      • how would people download firefox from the internet without IE with Windows? Firefox is good. people know about it and are downloading it. I don't think we have to tell Microsoft what to do in order to give firefox a chance.
        • how would people download firefox from the internet without IE with Windows?

          They would use whatever browser was included by the OEM that sold them their computer, which may very well already be Firefox. The law forbids MS to bundle or tie Windows to IE, not other companies from selling Windows+some browser+some hardware.

          Firefox is good. people know about it and are downloading it.

          Firefox has been better for 5 years, easily, and still it has under 25% of the market. People aren't downloading it. More

          • Firefox is making great progress. It's the browser of choice among the most web savvy, the blogosphere. And they are 90% Windows users. But Firefox's accepted superiority is just too recent to worry about its acceptance. Firefox 1.0 came out Nov 2004. Only a few years old.
            IE achieved domination vs Netscape which was showing its age. Even most netscape loyalists agreed that netscape couldn't compete on technical merit. Mozilla Suite was too bloated, especially for those who used another email app.
        • by m50d ( 797211 )
          how would people download firefox from the internet without IE with Windows?

          With ftp.exe.

          It's possible. I've done it when fixing really horribly spyware-infested systems.

  • by hellfire ( 86129 ) <deviladv AT gmail DOT com> on Thursday January 04, 2007 @12:44PM (#17460848) Homepage
    My truck was unsafe 365 days. I could have been in an accident on any one of those days!
    • Loose nut behind the wheel?
    • My truck was unsafe 365 days. I could have been in an accident on any one of those days!

      True, but most people don't. Your truck has a better than four minute half life on any road and far fewer than 90% of all trucks are actually owned by malware that takes them for spins and bank robberies while you are not looking.

      Microsoft my not kill as many people as trucks do, but that's not a mater of reliability. The power required to use a computer is not as high as motor vehicles, yet.

  • by reh187 ( 182368 ) on Thursday January 04, 2007 @12:45PM (#17460872)
    Nothing like a quick Software Restriction Policy to "disallow" the use of IE :-)

    I also have to admit, that since FireFox 2.0, I can trictly tell my browser which to sites to masquerade as IE.

    Quite handy if I do say so myself...
    • Opera's had this feature for quite awhile, with a combobox even! Select the site from the list or browse to it, Open the page properties, and set it to Opera/IE/FF and be done with it.
      • And with a certain userscript [scss.com.au] you can even mimic some of the internals of the other browsers.

        However, I'm finding that fewer sites seem to require me to do this. Things are improving on the W.W.W. for browsers. (Not just Opera, but it's nice that it's included as well.)

    • I also have to admit, that since FireFox 2.0, I can trictly tell my browser which to sites to masquerade as IE.

      Quite handy if I do say so myself...

      i have to agree. some websites just dont function properly using firefox. a few people just dont bother testing the websites for multiple browsers.

      • If they don't funciton properly using Firefox, how is changing what useragent Firefox claims to be going to have an effect?

        If the sites actually do function just fine in Firefox but refuse to do so unless you trick them, you should probably notify the site's administrators or stop using the damn site.
  • by __aaclcg7560 ( 824291 ) on Thursday January 04, 2007 @12:47PM (#17460902)
    If IE6 was unsafe for nine months out of the year, what did it give birth to? Inquiring minds want to know...
  • Moo (Score:1, Funny)

    by Chacham ( 981 )
    For a total 284 days in 2006 (or more than nine months out of the year)

    Yep, it took them nine months to get that baby.

  • Were there only 284 days in 2006? http://developers.slashdot.org/article.pl?sid=06/1 2/21/1836240/ [slashdot.org]
  • Out of how many? Uh?
  • by greymond ( 539980 ) on Thursday January 04, 2007 @01:43PM (#17461960) Homepage Journal
    At MS it is our commitment to better our security on all our applications. In 2006 we spent over 284 days researching and developing a series of bug fixes for our IE product line. This gave us over 98 days where IE was impenetrable to attackers and didn't require the need for any patches. Mozilla would like to claim that there product is safer than ours, yet they admit themselves that they had a period of 9 days where their browser was highly vulnerable to hackers and exploits. IE offers a web experience unsurpassed by any other browsers, compatible with every major website online today. If you choose to use an alternative browser it will still have flaws, but MS Windows allows you to choose, and having choices is what MS is all about. Would you really not want to have a choice in web browsers? Would you really want to only have Firefox and that be the end all be all to browsers? People need to have a choice, that's part of why this great country of America was founded.
  • by eno2001 ( 527078 ) on Thursday January 04, 2007 @01:52PM (#17462136) Homepage Journal
    I use IE for everything and I've never once been hacked by these supposed security holes. I do all kinds of stuff like online banking, eTrade, eBay, online shopping, the works! And it's totally secure because it's all encrypted. Sure, I've had something like $24,000 worth of charges applied to my credit cards that weren't mine, but that wasn't because of IE. That was because I made the mistake of dealing with a few companies that use Linux or some Unix variant (heh, sounds like a disease we're talking about here instead of an OS) for their web portals and they probably got rooted. Open source software is just not safe. The hackers are all over it since it's all out in the open. Once they get a chance to look at how it works, they can easily make it do their bidding. At least Microsoft has the sense to keep stuff private. NO hackers in the entire world could figure any of that stuff out because there just isn't any single person as smart as Bill Gates and his crack team of developers. I wouldn't touch Firefox with a ten foot pole since it's open source. Although they only report the bugs they think they've found, there are probably billions more than MS has in IE because the hackers have a roadmap with open source. It says, "Here's the keys to the kingdom. Come hack me". I Trust MS products because MS is all about making great, innovative software that is secure and robust and stable.

    NOTE: The above post is merely a parody of the Windows user who's "got religion". A reasonable Windows user knows better. A reasonable *nix user knows better. Let the games begin...
    • Re: (Score:3, Informative)

      The idea is you post it without the disclaimer and laugh at all the flames ;-)
      • Re: (Score:3, Insightful)

        by Abcd1234 ( 188840 )
        You mean troll?
      • Ah but you forget: karma is *not* like golf - getting marked troll and flamebait (as it turns out) is *not* the objective. Boy was I doing this wrong.

        Of course, there is still "that guy" who always seems to find my posts first and give them "-1 overrated" before I get any positive mods... I have yet to find him and tell him about this recent revelation.

        (And now of course comes the inevitable internal debate - post anonymously and (possibly) save karma or stop being a coward actually make use of positive ka
  • Hmm... all hail the Washington Post for very neutral reporting on this one. Although I am BY NO MEANS a defender of Microsoft I feel we have to put this in perspective. How much market share does Microsoft hold vz Mozilla? I would imagine that the people trying to find security exploits are for the most part looking at Internet Explorer... not only does it still hugely command market share, but it's also the choice for less savvy users. A little like a virus comparison between say Macs and PCs... its all a
    • "Statistics are like a ventriloquists dummy. If you stick your hand up it you can make them say whatever you want but the results are only suitable for children and journalists." -- BBC Radio 4, The Department
    • Market share is not an issue here. It's M$ not patching known exploits quickly enough, which Mozilla does do quickly.
      • Hmm... seem to be missing the point. If you look at individual issues and measure response time, I think you would find that about one week is an average response time per vulnerability for Microsoft. Mozilla's response time? 9 days... so about the same.
        • Okay okay... a little quick off the mark maybe. Taking a look, I can see that on average Microsoft took 41.2 days per vulnerability (26 per critical vulnerability). The IE team did have to patch 12 vulnerabilities last year though, to Mozilla's one. My point still stands though, the bigger you are, the more of a target you become. Granted, Microsoft's response time IS unacceptable...
      • ... Okay okay... a little quick off the mark maybe. Taking a look, I can see that on average Microsoft took 41.2 days per vulnerability (26 per critical vulnerability). The IE team did have to patch 12 vulnerabilities last year though, to Mozilla's one. My point still stands though, the bigger you are, the more of a target you become. Granted, Microsoft's response time IS unacceptable......
        • This article is about vulnerabilities with known exploits. If you look at the vulnerabilities that Mozilla had to fix as a whole, you'll find many more than just one.
          • Actually the Washington Post article is based on raw data entitled 'Internet Explorer Vulnerabilities in 2006' and contains both known vulnerabilities and exploited vulnerabilities.
  • That TFA can only document "safe" status regarding known vulnerabilities for IE or real browsers.

    Someone needs to report that IE (6 and 7) has had craptastic standards support for 2195 days of this century (as of 4 Jan 2007).

  • I made thousands of dollars -- more than half my company's gross revenue -- cleaning up spyware in 2006. A lot of it, probably 30% or 40%, was on fully patched machines with current anti-virus software. Almost every time I read about exploit code becoming available for a zero-day vulnerability, my phone starts to ring.
    I have one customer who gets hit three or four times a year. Each time, I get $75 to $150 for booting his system to Windows PE and cleaning off the pests. He's running McAfee Enterprise 8.0i (
  • I thought it was in the 360 range.
  • by Master of Transhuman ( 597628 ) on Thursday January 04, 2007 @04:08PM (#17464690) Homepage
    it's unsafe.

    Which means it was unsafe for the last 365 days of last year.

    I just did another five hour spyware cleaning last night (which still isn't complete). A fifteen-year-old kid managed to bring a Dell PC to its knees over just a few days of browsing the wrong sites.

    The kid was visiting the client. The kid has an Apple at home - so he didn't know what he was doing was death to Windows...:-)

  • The real surprise was that there actually days when the browser was safe. I would like to see what the stats on IE7 will be at the end of 2007 http://www.cybertopcops.com/ [cybertopcops.com]
  • The author must have forgotten that 2006 was 365 days long, not 284.
  • Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

    It's worth noting that I'm betting that nine days was only how long it took for Mozilla to ship the "official" patch to "official" places...I'll bet a number of distros had downstream patches available (at least for submission) within 24 hours.

    For anyone doubting ESR's written claim about FOSS's su
  • Guess what folks! Connecting your computer to the internet was unsafe 365 days last year!
  • Thank god it wasn't a leap year!

"jackpot: you may have an unneccessary change record" -- message from "diff"

Working...