Forgot your password?
typodupeerror
Security

Internet Explorer Vulnerabilities Increase 100% 137

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.
This discussion has been archived. No new comments can be posted.

Internet Explorer Vulnerabilities Increase 100%

Comments Filter:
  • Eh? (Score:5, Informative)

    by Sockatume (732728) on Thursday July 24, 2014 @07:27AM (#47521689)

    I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.

    • Re:Eh? (Score:5, Insightful)

      by SQLGuru (980662) on Thursday July 24, 2014 @07:38AM (#47521747) Journal

      Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/ [bromium.com]) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

      All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

      • What are you finding unclear about this graphic?

        http://www.net-security.org/im... [net-security.org]

    • Looks like Windows XP era browsers and now unsupported browser versions. So it's no surprise since Microsoft took their hands off of the products that all these exploits come out of the woodwork.

  • No actual numbers (Score:5, Insightful)

    by CastrTroy (595695) on Thursday July 24, 2014 @07:29AM (#47521699) Homepage
    Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

    a trend underscored by a progressively shorter time to first patch for its past two releases

    Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

    Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

    Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

    • by Ol Olsoc (1175323) on Thursday July 24, 2014 @07:39AM (#47521751)

      Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

      and

      Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

      You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

      • Have you considered reading the article before criticizing someone else's analysis of it?

        Apparently not.

        • by Ol Olsoc (1175323)

          Have you considered reading the article before criticizing someone else's analysis of it?

          Apparently not.

          Have you considered WHOOSH?

          But since you didn't quite get it.....

          Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?

          Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, mo

          • IE had fewer vulnerabilities last year than Chrome, or Firefox. This year it has more. Thats not a slam dunk, or an indication that IE is a dogs breakfast.

            Ie has been substantially rewritten since the IE6 days, and is a sort-of-decent browser these days. These days its firefox thats the dogs breakfast; the only saving grace it has is its low userbase and its strong extension support that can plug some of the glaring holes (like its crappy 1-process architecture, its lack of sandboxing for anything, etc).

    • Re:No actual numbers (Score:4, Informative)

      by BasilBrush (643681) on Thursday July 24, 2014 @09:01AM (#47522199)

      Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.

    • Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were.

      How this was modded insightful I'll never know.
      Someone must be exploiting a vulnerability in your pdf viewer/browser that is causing it to not work properly (IE maybe), because mine clearly shown in the appendix at the bottom.
      Internet explorer:
      2013 130 vulnerabilities
      H1-2014 133 vulnerabilities

  • New Microsoft CEO (Score:5, Interesting)

    by ArcadeMan (2766669) on Thursday July 24, 2014 @07:31AM (#47521705)

    Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

    If that happens, Firefox will be the odd one out as far as rendering is concerned.

    • Re:New Microsoft CEO (Score:4, Interesting)

      by gstoddart (321705) on Thursday July 24, 2014 @07:47AM (#47521803) Homepage

      Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit

      Microsoft switch IE to use components written by someone else?

      I place the likelihood of that as pretty small.

      Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

      • In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

        • by ArhcAngel (247594)

          In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

          I'm not sure either the OP or this one understand what NIH means. It's part of the EEE [wikipedia.org] philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer [wikipedia.org] was licensed from Spyglass [wikipedia.org] and all version of IE up to 6 were based on that code. In this case Microsoft w

      • by operagost (62405)
        Well, IE was originally created using Spyglass' code...
      • by l0ungeb0y (442022)

        Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

        I believe you mean, "Not copied, ripped off, or acquired and gutted here"

      • Microsoft switch IE to use components written by someone else?

        I place the likelihood of that as pretty small.

        Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

        Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."

    • Re:New Microsoft CEO (Score:4, Informative)

      by jones_supa (887896) on Thursday July 24, 2014 @07:49AM (#47521809)
      Why? Trident is very fast and standards-compliant engine.
    • That would be a terrible thing; strong independent competition is a good thing; the browser scape would be far worse for it.
  • Odd Conclusion (Score:5, Insightful)

    by bveldkamp (1838948) on Thursday July 24, 2014 @07:31AM (#47521707)
    That's an odd conclusion to draw from the report. What it actually says is:

    1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
    2. Number of public exploits in IE decreases from 11 to 3 in that same period
    3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11
    • Re:Odd Conclusion (Score:5, Informative)

      by BasilBrush (643681) on Thursday July 24, 2014 @09:06AM (#47522245)

      We seem to be having a lot of astroturf from MS today.

      IE Exploits.
      2013 = 130
      H1-2014 = 133.

      Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.

      • Re: (Score:2, Insightful)

        by Sockatume (732728)

        If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

        • Don't blame it on the writing. There was a chart, and a table at the end, both perfectly clear. And terseness means they were both very easy to find. I expect slashdotters to be able to read a simple bar chart - to read the labels as well as the length of the bars. If they can't, GTFO.

    • Pfft, as if any Windoze users have IE11 installed. Poppycock! Your figure of "80 days to 5" between "dinosaur" and "current" versions of Internet Explorer are of no relevance. You're clearly in the pay of Micro$haft.

  • by Anonymous Coward

    Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on o

  • A rule of thumb.. (Score:4, Interesting)

    by js3 (319268) on Thursday July 24, 2014 @07:48AM (#47521807)

    if someone gives you a percentage they are trying to make it better or worse than it actually is.

  • by WD (96061) on Thursday July 24, 2014 @08:06AM (#47521903)

    Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

    Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

  • by JD-1027 (726234) on Thursday July 24, 2014 @08:30AM (#47522033)
    I'm betting it had more than one vulnerability...

    http://xkcd.com/1102/ [xkcd.com]
  • by BCW2 (168187) on Thursday July 24, 2014 @09:04AM (#47522227) Journal
    History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.
  • Another 'news' article that contains almost nothing.

    Still, at least it's not another news article by someone pretending that a reseller of hardware would have no interest in pushing old tin.

  • 1. Write software to sandbox $APPLICATION [bromium.com]
    2. Release report exaggerating "increase in vulnerabilities" in $APPLICATION
    3. Profit!
  • I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.

    I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable busine

  • US-CERT used to post a report some time ago advising to switch to other browser, after a few hours they changed the statement.

    http://martin.iturbide.com/2014/04/do-you-trust-us-cert.html
  • (!) This article appears to be written like an advertisement. Please help improve it by rewriting promotional content from a neutral point of view and removing any inappropriate external links.

    Bromium [wikipedia.org]

  • by benjymouse (756774) on Thursday July 24, 2014 @05:40PM (#47526327)

    Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.

  • Does this mean that IE has acquired a second user? And do they use it simultaneously?

No man is an island if he's on at least one mailing list.

Working...